SB2019121922 - Multiple vulnerabilities in Red Hat JBoss Fuse/A-MQ

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2019-12384)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Input validation error (CVE-ID: CVE-2013-7285)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input passed in XML and JSON formats to the Xstream API. A remote attacker can send specially crafted request to the affected application and execute arbitrary code on the target system.

3) Deserialization of Untrusted Data (CVE-ID: CVE-2019-10173)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data passed in XML or JSON formats within the xstream API. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Resource exhaustion (CVE-ID: CVE-2019-9518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input within the HTTP.sys driver when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.

5) Resource exhaustion (CVE-ID: CVE-2019-9512)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.

6) Resource exhaustion (CVE-ID: CVE-2019-9514)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.

7) Resource management error (CVE-ID: CVE-2019-9515)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in HTTP/2 implementation when processing SETTINGS frames. A remote attacker can send a huge amount of  SETTINGS frames to the peer and consume excessive CPU and memory on the system.

8) Improper access control (CVE-ID: CVE-2019-0201)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions when "getACL()" command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. A remote attacker can gain READ permissions to list ACL.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:4352