SB2018091126 - Multiple vulnerabilities in Fuse 7

Description

This security bulletin contains information about 23 secuirty vulnerabilities.

1) Unsafe reflection (CVE-ID: CVE-2014-0114)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Apache Commons BeanUtils does not suppress the class property. A remote unauthenticated attacker can manipulate the ClassLoader and execute arbitrary code via the class parameter

2) Command injection (CVE-ID: CVE-2016-5397)

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists in the ft_go_generator.cc:format_go_output()function due to command injection. A remote attacker can submit a specially crafted service name through an external formatting tool and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

3) Improper verification of cryptographic signature (CVE-ID: CVE-2016-1000338)

The vulnerability allows a remote attacker to bypass signature validation process.

The JCE Provider in Bouncy Castle does not fully validate ASN.1 encoding of signature on verification within DSA implementation. A remote attacker can inject extra elements in the sequence making up the signature, which will be considered valid allowing an attacker to add extra data into a signed structure.

4) Cryptographic issues (CVE-ID: CVE-2016-1000339)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability is present in Bouncy Castle JCE Provider due to usage of AESFastEngine that does not provide the sufficient level of secrecy and is prone to side-channel attacks. 

5) Cryptographic issues (CVE-ID: CVE-2016-1000340)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists in Bouncy Castle JCE Provider due to buggy implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

6) Cryptographic issues (CVE-ID: CVE-2016-1000341)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists in Bouncy Castle JCE Provider implementation of DSA signature generation process. The attacker with ability to observe timings for the generation of signatures can gain information about the signature's k value and ultimately the private value as well.

7) Improper verification of cryptographic signature (CVE-ID: CVE-2016-1000342)

The vulnerability allows a remote attacker to bypass signature validation process.

The JCE Provider in Bouncy Castle does not fully validate ASN.1 encoding of signature on verification within ECDSA implementation. A remote attacker can inject extra elements in the sequence making up the signature, which will be considered valid allowing an attacker to add extra data into a signed structure.

8) Cryptographic issues (CVE-ID: CVE-2016-1000343)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists in Bouncy Castle JCE Provider implementation of DSA key pair generator that generates a weak private key (1024 bit key size) if used with default values.  The attacker can use this vulnerability to decrypt data.

9) Cryptographic issues (CVE-ID: CVE-2016-1000344)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to DHIES implementation allowed the use of ECB mode. A remote attacker can trigger the vulnerability to modify data on the system.

10) Information disclosure (CVE-ID: CVE-2016-1000345)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to DHIES/ECIES CBC mode vulnerable to padding oracle attack. A remote attacker with enough observations can identify when the decryption is failing due to padding.

11) Key management errors (CVE-ID: CVE-2016-1000346)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the other party DH public key is not fully validated.. A remote attacker can gain unauthorized access to sensitive information on the system and reveal details about the other party's private key where static Diffie-Hellman is in use.

12) Cryptographic issues (CVE-ID: CVE-2016-1000352)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to ECIES implementation allowed the use of ECB mode. A remote attacker can trigger the vulnerability to bypass security restrictions and escalate privileges on the system.

13) Input validation error (CVE-ID: CVE-2017-14063)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to Async Http Client can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. A remote attacker can pass specially crafted input to the application and modify data on the system.

14) Memory leak (CVE-ID: CVE-2018-1114)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in URLResource.getLastModified() function in Undertow due to the method closes file descriptors only when they are finalized. A remote attacker can initiate opening of numerous URLs and exhaust all file descriptors, leading to a denial of service (DoS) attack.

15) Path traversal (CVE-ID: CVE-2018-1271)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the spring-webmvc module due to the improper serving of static resources from a file system on Microsoft Windows systems. A remote attacker can send a malicious request using a crafted URL, trigger directory traversal, overwrite, delete or read potentially sensitive file information.

16) Improper privilege management (CVE-ID: CVE-2018-1272)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to improper processing of multipart requests. A remote attacker can make a multipart request that injects malicious content to the target server, cause it to use wrong values and gain root privileges.

17) Infinite loop (CVE-ID: CVE-2018-1338)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

18) Infinite loop (CVE-ID: CVE-2018-1339)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

19) Infinite loop (CVE-ID: CVE-2018-8036)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to infinite loop when handling malicious input. A remote attacker can supple specially crafted (or fuzzed) file, trigger out of memory exception and cause the service to crash.

20) Improper access control (CVE-ID: CVE-2018-8088)

The vulnerability allows a remote unauthenticated attacker to bypass access restrictions on the target system.

The weakness exists in the org.slf4j.ext.EventData class due to improper security restrictions. A remote attacker can send specially crafted input, bypass access restrictions and gain unauthorized access to perform further attacks.

21) Cross-site scripting (CVE-ID: CVE-2018-1000129)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

22) Remote code execution (CVE-ID: CVE-2018-1000130)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in the Java Naming and Directory Interface (JNDI) of Jolokia due to insufficient validation of user-supplied input. A remote attacker can inject and execute arbitrary Java code.

Successful exploitation of the vulnerability may result in system compromise.

23) Improper input validation (CVE-ID: CVE-2018-1000180)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the IDIH Visualization (Bouncy Castle Java Library) component in Oracle Communications Diameter Signaling Router (DSR). A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2018:2669