A Red Hat Fuse 7.12 release and security update has been released.

[RHSA-2023:3954-01] Critical: Red Hat Fuse 7.12 release and security update

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: Red Hat Fuse 7.12 release and security update
Advisory ID: RHSA-2023:3954-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3954
Issue date: 2023-06-29
CVE Names: CVE-2012-5783 CVE-2020-13956 CVE-2022-4492
CVE-2022-24785 CVE-2022-31692 CVE-2022-36437
CVE-2022-38398 CVE-2022-38648 CVE-2022-40146
CVE-2022-41704 CVE-2022-41854 CVE-2022-41881
CVE-2022-41940 CVE-2022-41946 CVE-2022-41966
CVE-2022-42890 CVE-2022-42920 CVE-2022-45143
CVE-2022-46363 CVE-2022-46364 CVE-2023-1108
CVE-2023-1370 CVE-2023-20860 CVE-2023-20861
CVE-2023-20883 CVE-2023-22602 CVE-2023-33201
=====================================================================

1. Summary:

A minor version update (from 7.11 to 7.12) is now available for Red Hat
Fuse. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse
7.11 and includes bug fixes and enhancements, which are documented in the
Release Notes document linked in the References.

Security Fix(es):

* hazelcast: Hazelcast connection caching (CVE-2022-36437)

* spring-security: Authorization rules can be bypassed via forward or
include dispatcher types in Spring Security (CVE-2022-31692)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds
writing (CVE-2022-42920)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* jakarta-commons-httpclient: missing connection hostname check against
X.509 certificate name (CVE-2012-5783)

* apache-httpclient: incorrect handling of malformed authority component in
request URIs (CVE-2020-13956)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* engine.io: Specially crafted HTTP request can trigger an uncaught
exception (CVE-2022-41940)

* postgresql-jdbc: Information leak of prepared statement data due to
insecure temporary file permissions (CVE-2022-41946)

* batik: Untrusted code execution in Apache XML Graphics Batik
(CVE-2022-42890)

* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request
(CVE-2023-22602)

* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* tomcat: JsonErrorReportValve injection (CVE-2022-45143)

For more details about the security issues, including the impact, CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2144970 - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection
2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching
2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability
2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate

5. JIRA issues fixed ( https://issues.redhat.com/):

ENTESB-20598 - Incomplete fix of CVE-2020-13956
ENTESB-20598 - Incomplete fix of CVE-2020-13956
ENTESB-21418 - CVE-2023-1370, ensure that Syndesis is using fixed json-smart

6. References:

https://access.redhat.com/security/cve/CVE-2012-5783
https://access.redhat.com/security/cve/CVE-2020-13956
https://access.redhat.com/security/cve/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-31692
https://access.redhat.com/security/cve/CVE-2022-36437
https://access.redhat.com/security/cve/CVE-2022-38398
https://access.redhat.com/security/cve/CVE-2022-38648
https://access.redhat.com/security/cve/CVE-2022-40146
https://access.redhat.com/security/cve/CVE-2022-41704
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2022-41940
https://access.redhat.com/security/cve/CVE-2022-41946
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42890
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-45143
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-1108
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20861
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/cve/CVE-2023-22602
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/

7. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--