rhsa-2013_1028
Vulnerability from csaf_redhat
Published
2013-07-09 17:35
Modified
2024-11-05 18:08
Summary
Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 update
Notes
Topic
Fuse ESB Enterprise 7.1.0 roll up patch 1, which fixes multiple security
issues and various bugs, is now available from the Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration
platform.
This release of Fuse ESB Enterprise 7.1.0 roll up patch 1 is an update to
Fuse ESB Enterprise 7.1.0 and includes bug fixes. Refer to the readme file
included with the patch files for information about the bug fixes.
The following security issues are also fixed with this release:
XML encryption backwards compatibility attacks were found against various
frameworks, including Apache CXF. An attacker could force a server to use
insecure, legacy cryptosystems, even when secure cryptosystems were enabled
on endpoints. By forcing the use of legacy cryptosystems, flaws such as
CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be
recovered from cryptograms and symmetric keys. (CVE-2012-5575)
Note: Automatic checks to prevent CVE-2012-5575 are only run when
WS-SecurityPolicy is used to enforce security requirements. It is best
practice to use WS-SecurityPolicy to enforce security requirements.
A flaw in JRuby's JSON gem allowed remote attacks by creating different
types of malicious objects. For example, it could initiate a denial of
service attack through resource consumption by using a JSON document to
create arbitrary Ruby symbols, which were never garbage collected. It could
also be exploited to create internal objects which could allow a SQL
injection attack. (CVE-2013-0269)
It was discovered that JRuby's REXML library did not properly restrict XML
entity expansion. An attacker could use this flaw to cause a denial of
service by tricking a Ruby application using REXML to read text nodes from
specially-crafted XML content, which will result in REXML consuming large
amounts of system memory. (CVE-2013-1821)
Multiple denial of service flaws were found in the way the Apache CXF
StAX parser implementation processed certain XML files. If a web service
utilized the StAX parser, a remote attacker could provide a
specially-crafted XML file that, when processed, would lead to excessive
CPU and memory consumption. (CVE-2013-2160)
Note: Fuse ESB Enterprise 7.1.0 ships JRuby as part of the camel-ruby
component, which allows users to define Camel routes in Ruby. The default
use of JRuby in Fuse ESB Enterprise 7.1.0 does not appear to expose either
CVE-2013-0269 or CVE-2013-1821. If the version of JRuby shipped with Fuse
ESB Enterprise 7.1.0 was used to build a custom application, then these
flaws could be exposed.
Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj
Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575; Ruby
on Rails upstream for reporting CVE-2013-0269; and Andreas Falkenberg of
SEC Consult Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and
Joerg Schwenk of Ruhr-University Bochum for reporting CVE-2013-2160.
Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the
original reporters of CVE-2013-0269.
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Fuse ESB Enterprise 7.1.0 roll up
patch 1.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Fuse ESB Enterprise 7.1.0 roll up patch 1, which fixes multiple security\nissues and various bugs, is now available from the Red Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration\nplatform.\n\nThis release of Fuse ESB Enterprise 7.1.0 roll up patch 1 is an update to\nFuse ESB Enterprise 7.1.0 and includes bug fixes. Refer to the readme file\nincluded with the patch files for information about the bug fixes.\n\nThe following security issues are also fixed with this release:\n\nXML encryption backwards compatibility attacks were found against various\nframeworks, including Apache CXF. An attacker could force a server to use\ninsecure, legacy cryptosystems, even when secure cryptosystems were enabled\non endpoints. By forcing the use of legacy cryptosystems, flaws such as\nCVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be\nrecovered from cryptograms and symmetric keys. (CVE-2012-5575)\n\nNote: Automatic checks to prevent CVE-2012-5575 are only run when\nWS-SecurityPolicy is used to enforce security requirements. It is best\npractice to use WS-SecurityPolicy to enforce security requirements.\n\nA flaw in JRuby\u0027s JSON gem allowed remote attacks by creating different\ntypes of malicious objects. For example, it could initiate a denial of\nservice attack through resource consumption by using a JSON document to\ncreate arbitrary Ruby symbols, which were never garbage collected. It could\nalso be exploited to create internal objects which could allow a SQL\ninjection attack. (CVE-2013-0269)\n\nIt was discovered that JRuby\u0027s REXML library did not properly restrict XML\nentity expansion. An attacker could use this flaw to cause a denial of\nservice by tricking a Ruby application using REXML to read text nodes from\nspecially-crafted XML content, which will result in REXML consuming large\namounts of system memory. (CVE-2013-1821)\n\nMultiple denial of service flaws were found in the way the Apache CXF\nStAX parser implementation processed certain XML files. If a web service\nutilized the StAX parser, a remote attacker could provide a\nspecially-crafted XML file that, when processed, would lead to excessive\nCPU and memory consumption. (CVE-2013-2160)\n\nNote: Fuse ESB Enterprise 7.1.0 ships JRuby as part of the camel-ruby\ncomponent, which allows users to define Camel routes in Ruby. The default\nuse of JRuby in Fuse ESB Enterprise 7.1.0 does not appear to expose either\nCVE-2013-0269 or CVE-2013-1821. If the version of JRuby shipped with Fuse\nESB Enterprise 7.1.0 was used to build a custom application, then these\nflaws could be exposed.\n\nRed Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj\nSomorovsky of Ruhr-University Bochum for reporting CVE-2012-5575; Ruby\non Rails upstream for reporting CVE-2013-0269; and Andreas Falkenberg of\nSEC Consult Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and\nJoerg Schwenk of Ruhr-University Bochum for reporting CVE-2013-2160.\nUpstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the\noriginal reporters of CVE-2013-0269.\n\nAll users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Fuse ESB Enterprise 7.1.0 roll up\npatch 1.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2013:1028", "url": "https://access.redhat.com/errata/RHSA-2013:1028" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise\u0026downloadType=securityPatches\u0026version=7.1.0" }, { "category": "external", "summary": "http://cxf.apache.org/cve-2012-5575.html", "url": "http://cxf.apache.org/cve-2012-5575.html" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc", "url": "https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc" }, { "category": "external", "summary": "880443", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=880443" }, { "category": "external", "summary": "909029", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909029" }, { "category": "external", "summary": "914716", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=914716" }, { "category": "external", "summary": "929197", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=929197" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1028.json" } ], "title": "Red Hat Security Advisory: Fuse ESB Enterprise 7.1.0 update", "tracking": { "current_release_date": "2024-11-05T18:08:47+00:00", "generator": { "date": "2024-11-05T18:08:47+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2013:1028", "initial_release_date": "2013-07-09T17:35:00+00:00", "revision_history": [ { "date": "2013-07-09T17:35:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2013-07-09T17:36:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T18:08:47+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Fuse ESB Enterprise 7.1.0", "product": { "name": "Fuse ESB Enterprise 7.1.0", "product_id": "Fuse ESB Enterprise 7.1.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0" } } } ], "category": "product_family", "name": "Fuse Enterprise Middleware" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Tibor Jager", "Kenneth G. Paterson", "Juraj Somorovsky" ], "organization": "Ruhr-University Bochum" } ], "cve": "CVE-2012-5575", "cwe": { "id": "CWE-327", "name": "Use of a Broken or Risky Cryptographic Algorithm" }, "discovery_date": "2012-11-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "880443" } ], "notes": [ { "category": "description", "text": "Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka \"XML Encryption backwards compatibility attack.\"", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-cxf: XML encryption backwards compatibility attacks", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Fuse ESB Enterprise 7.1.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2012-5575" }, { "category": "external", "summary": "RHBZ#880443", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=880443" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2012-5575", "url": "https://www.cve.org/CVERecord?id=CVE-2012-5575" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5575", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5575" }, { "category": "external", "summary": "http://cxf.apache.org/cve-2012-5575.html", "url": "http://cxf.apache.org/cve-2012-5575.html" }, { "category": "external", "summary": "http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/", "url": "http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/" } ], "release_date": "2013-03-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2013-07-09T17:35:00+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).", "product_ids": [ "Fuse ESB Enterprise 7.1.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2013:1028" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 7.8, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0" }, "products": [ "Fuse ESB Enterprise 7.1.0" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "apache-cxf: XML encryption backwards compatibility attacks" }, { "acknowledgments": [ { "names": [ "Ruby on Rails upstream" ] }, { "names": [ "Thomas Hollstegge" ], "organization": "Zweitag", "summary": "Acknowledged by upstream." }, { "names": [ "Ben Murphy" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2013-0269", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2013-02-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "909029" } ], "notes": [ { "category": "description", "text": "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\"", "title": "Vulnerability description" }, { "category": "summary", "text": "rubygem-json: Denial of Service and SQL Injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite tools ship RubyGem Json 1.4.6 which is earlier than affected 1.5.5 version however, this version of RubyGem is not affected to the flaw. We may update RubyGem in a future release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Fuse ESB Enterprise 7.1.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2013-0269" }, { "category": "external", "summary": "RHBZ#909029", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909029" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0269", "url": "https://www.cve.org/CVERecord?id=CVE-2013-0269" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0269", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0269" }, { "category": "external", "summary": "http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/", "url": "http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/" } ], "release_date": "2013-02-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2013-07-09T17:35:00+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).", "product_ids": [ "Fuse ESB Enterprise 7.1.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2013:1028" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "Fuse ESB Enterprise 7.1.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "rubygem-json: Denial of Service and SQL Injection" }, { "cve": "CVE-2013-1821", "discovery_date": "2013-02-22T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "914716" } ], "notes": [ { "category": "description", "text": "lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "ruby: entity expansion DoS vulnerability in REXML", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Fuse ESB Enterprise 7.1.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2013-1821" }, { "category": "external", "summary": "RHBZ#914716", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=914716" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2013-1821", "url": "https://www.cve.org/CVERecord?id=CVE-2013-1821" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1821", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1821" }, { "category": "external", "summary": "http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/", "url": "http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/" } ], "release_date": "2013-02-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2013-07-09T17:35:00+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).", "product_ids": [ "Fuse ESB Enterprise 7.1.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2013:1028" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "Fuse ESB Enterprise 7.1.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ruby: entity expansion DoS vulnerability in REXML" }, { "acknowledgments": [ { "names": [ "Andreas Falkenberg" ], "organization": "SEC Consult Deutschland GmbH" }, { "names": [ "Christian Mainka", "Juraj Somorovsky", "Joerg Schwenk" ], "organization": "Ruhr-University Bochum" } ], "cve": "CVE-2013-2160", "discovery_date": "2013-03-29T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "929197" } ], "notes": [ { "category": "description", "text": "The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-cxf: Multiple denial of service flaws in the StAX parser", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Fuse ESB Enterprise 7.1.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2013-2160" }, { "category": "external", "summary": "RHBZ#929197", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=929197" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2160", "url": "https://www.cve.org/CVERecord?id=CVE-2013-2160" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2160", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2160" }, { "category": "external", "summary": "http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc", "url": "http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc" } ], "release_date": "2013-06-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2013-07-09T17:35:00+00:00", "details": "The References section of this erratum contains a download link (you must\nlog in to download the update).", "product_ids": [ "Fuse ESB Enterprise 7.1.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2013:1028" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "Fuse ESB Enterprise 7.1.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-cxf: Multiple denial of service flaws in the StAX parser" } ] }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.