-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse 6.3 security update Advisory ID: RHSA-2016:2035-01 Product: Red Hat JBoss Fuse Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2035.html Issue date: 2016-10-06 CVE Names: CVE-2015-3192 CVE-2015-5344 CVE-2015-5348 CVE-2015-7940 CVE-2016-2141 CVE-2016-2510 CVE-2016-4437 ===================================================================== 1. Summary: Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes. Security Fix(es): It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141) A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510) It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437) A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192) It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344) It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348) It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940) The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat). Refer to the Product Documentation link in the References section for installation instructions. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys 1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet 1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 1313589 - CVE-2016-2141 Authorization bypass in JGroups 1343346 - CVE-2016-4437 shiro: Security constraint bypass 5. References: https://access.redhat.com/security/cve/CVE-2015-3192 https://access.redhat.com/security/cve/CVE-2015-5344 https://access.redhat.com/security/cve/CVE-2015-5348 https://access.redhat.com/security/cve/CVE-2015-7940 https://access.redhat.com/security/cve/CVE-2016-2141 https://access.redhat.com/security/cve/CVE-2016-2510 https://access.redhat.com/security/cve/CVE-2016-4437 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX9nl4XlSAg2UNWIIRAjzuAJ9IjZsuMRzFPBfv/AW1xXlo9AHHNwCeNayc X467FkxtKPz7MAU5sEu9U/c= =tF7y -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce