SB2019101008 - Red Hat update for FIS 2.0 on Fuse 6.3.0 R13

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2018-19361)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the openjpa class from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

2) Input validation error (CVE-ID: CVE-2018-19362)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the jboss-common-coreclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

3) Input validation error (CVE-ID: CVE-2018-19360)

The disclosed vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code.

The vulnerability exists due to fail to block the axis2-transport-jmsclass from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to perform unauthorized actions on the system, which could allow the attacker to execute arbitrary code or cause a denial of service (DoS) condition.

4) Input validation error (CVE-ID: CVE-2018-14719)

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to fail to block blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. A remote attacker can send a specially crafted request that submits malicious input to execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

5) Deserialization of Untrusted Data (CVE-ID: CVE-2018-12022)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Jodd-db jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Deserialization of Untrusted Data (CVE-ID: CVE-2018-12023)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists when Default Typing is enabled and the service has the Oracle JDBC jar in the classpath. A remote attacker can provide an LDAP service to access and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Remote code execution (CVE-ID: CVE-2018-14718)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the failure to block the slf4j-ext class from polymorphic deserialization. A remote attacker can execute arbitrary code with elevated privileges.

8) Deserialization of Untrusted Data (CVE-ID: CVE-2018-11307)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the usage of default typing along with a gadget class from iBatis, which allows exfiltration of content. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:3002