-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.3 R14 security and bug fix update
Advisory ID:       RHSA-2019:4352-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4352
Issue date:        2019-12-19
CVE Names:         CVE-2019-0201 CVE-2019-9512 CVE-2019-9514
                   CVE-2019-9515 CVE-2019-9518 CVE-2019-10173
                   CVE-2019-12384
====================================================================
1. Summary:

An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss
A-MQ 6.3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Fuse provides a small-footprint, flexible, open source enterprise
service bus and integration platform. Red Hat A-MQ is a standards compliant
messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It
includes bug fixes, which are documented in the patch notes accompanying
the package on the download page. See the download link given in the
references section below.

Security fix(es):

* zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)

* HTTP/2: flood using PING frames results in unbounded memory growth
(CVE-2019-9512)

* HTTP/2: flood using HEADERS frames results in unbounded memory growth
(CVE-2019-9514)

* HTTP/2: flood using SETTINGS frames results in unbounded memory growth
(CVE-2019-9515)

* HTTP/2: flood using empty frames results in excessive resource
consumption (CVE-2019-9518)

* xstream: remote code execution due to insecure XML deserialization
(CVE-2019-10173)

* jackson-databind: failure to block the logback-core class from
polymorphic deserialization leading to remote code execution
(CVE-2019-12384)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are located in the download section of the
customer portal.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1715197 - CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper
1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of  CVE-2013-7285)
1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth
1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption

5. References:

https://access.redhat.com/security/cve/CVE-2019-0201
https://access.redhat.com/security/cve/CVE-2019-9512
https://access.redhat.com/security/cve/CVE-2019-9514
https://access.redhat.com/security/cve/CVE-2019-9515
https://access.redhat.com/security/cve/CVE-2019-9518
https://access.redhat.com/security/cve/CVE-2019-10173
https://access.redhat.com/security/cve/CVE-2019-12384
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker&downloadType=securityPatches&version=6.3.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3
https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXfu1vtzjgjWX9erEAQiMjA//XqIwbDhdop0p5RpMbd3RJ87mafa5zuK8
IzZGKOQ8PqTtSWhfH7t56gl+GASljIExgFGI43Sbo+gcbyVuC4EHYQz4p8lZA5SW
P7Qg2pSc3Kw2IAEOIn68j7uE1IsZd1gqsPyqpLT7FXaiNobxLYCCvn+V47IHfb91
r9sAVe69BNFBsamvdij/dIAp8vovgwrzpl6XFhSG83AJCSe527Eh96MRJ3O7DXBc
jszqf41l6td7UECYRfgILyBibnrnFgwjyHEOabsniEGRrRCZzVTfFbmnA6e4Vi1H
0hGZ97qoizQ2cxe515UlBNZ2rglITgp9hzZ27stNIFa4vKLOKLgh0IBRqdtY9gJV
hNOyAN3VV7B3e/RSxnOH9s+GS9581+dG8J2j/4fsIh3yCm5517RtV0doaQB6ldTo
Dg+7+tKTtrJVedUsjFduC0RZ6fQgtqz2DruktOfejN+bbFKEhFFHoYJD9ItBqJLq
elH2TglaQkjIWtP+vrmBHWKGOsZ0Q7gTPWIHnralMMYtT0LgPh1SiWam4Fy6Hfu1
4aHCBdWEr5OeGXupPcb926+E2IpsAN3B/zcSoJyfO+fq8ySCagHu+EtNAC1Pn2G5
0C0qKlU6ZdTMixwzMvSd/weLE1Evldp2rYdg7TqvJq6l4drkqJqC48DqD4YoO0W0
ohGOzwauhEI=ohgL
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce