SB2020032701 - Multiple vulnerabilities in Red Hat Fuse

Security Bulletin ID SB2020032701

Severity

High

Patch available

YES

Number of vulnerabilities 23

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 23 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2015-9251)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when a cross-domain Ajax request is performed without the dataType option. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary text/javascript responses in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Resource exhaustion (CVE-ID: CVE-2019-9518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input within the HTTP.sys driver when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Deserialization of Untrusted Data (CVE-ID: CVE-2019-17570)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult() method in Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Information disclosure (CVE-ID: CVE-2019-14439)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a polymorphic typing issue when Default Typing is enabled for an externally exposed JSON endpoint and the service has the logback jar in the classpath. A remote attacker can send a specially crafted JSON message and gain unauthorized access to sensitive information on the system.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-14379)

The vulnerability allows a remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists due to the "SubTypeValidator.java" file mishandles default typing when Ehcache is used. A remote attacker can send a request that submits malicious input to the targeted system and execute arbitrary code.

6) Information disclosure (CVE-ID: CVE-2019-12814)

The vulnerability allows a remote attacker to access sensitive information on a targeted system.

The vulnerability exist due to a polymorphic typing issue when Default Typing is enabled. A remote attacker can send a crafted JSON message that submits malicious input and gain access to sensitive information on the targeted system.

7) Cryptographic issues (CVE-ID: CVE-2019-12422)

The vulnerability allows a remote attacker to perform a padding attack.

The vulnerability exists due to using the default "remember me" configuration. A remote attacker can perform a padding attack on cookies and gain sensitive information on the target system.

8) Deserialization of Untrusted Data (CVE-ID: CVE-2019-12384)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to software allows the logback-core class to process polymorphic deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Credentials management (CVE-ID: CVE-2019-11272)

The vulnerability allows a local user to gain unauthorized access to a system.

The vulnerability exist due to the PlaintextPasswordEncoder uses plain text passwords. A local user can bypass authentication process using a password of "null" and gain unauthorized access to the targeted system.

10) Directory listing (CVE-ID: CVE-2019-10184)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect handling of requests without trailing slashes in the api. A remote attacker can send a specially crafted HTTP request to the affected server and predict directory structure.

11) Unsafe reflection (CVE-ID: CVE-2019-10174)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Infinispan uses an insecure invokeAccessibly method from ReflectionUtil class that allows to invoke other private methods. A local user can abuse this functionality to execute arbitrary code on the system with privileges of Infinispan process.

12) Resource management error (CVE-ID: CVE-2019-9517)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect implementation of HTTP/2 protocol. A remote attacker can open the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

13) Deserialization of Untrusted Data (CVE-ID: CVE-2017-5929)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within SocketServer and ServerSocketReceiver components in Logback. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

14) Resource exhaustion (CVE-ID: CVE-2019-9516)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing HTTP/2 requests within the ngx_http_v2_module module. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.

Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.

15) Resource management error (CVE-ID: CVE-2019-9515)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in HTTP/2 implementation when processing SETTINGS frames. A remote attacker can send a huge amount of SETTINGS frames to the peer and consume excessive CPU and memory on the system.

16) Resource exhaustion (CVE-ID: CVE-2019-9514)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.

17) Resource exhaustion (CVE-ID: CVE-2019-9513)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.

Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.

18) Resource exhaustion (CVE-ID: CVE-2019-9512)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.

19) Input validation error (CVE-ID: CVE-2019-5427)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing XML files within the c3p0/src/java/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java. A remote attacker can create a specially crafted XML file, pass it to the affected application and trigger recursive entity expansion when loading configuration. This results in denial of service (DoS) attack aka billion laughs attack.

Exploit:

<?xml version="1.0"?>
<!DOCTYPE lolz [
        <!ENTITY lol "lol">
        <!ELEMENT lolz (#PCDATA)>
        <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
        <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
        <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
        <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
        <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
        <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
        <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
        <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
        <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
        ]>
<lolz>&lol9;</lolz>

20) Cleartext storage of sensitive information (CVE-ID: CVE-2019-3888)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange), which includes logging of user credentials. A local user can view contents of log files and gain access to credentials in plain text that are stored in them.

21) Information disclosure (CVE-ID: CVE-2019-3802)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING in Spring Data JPA return more data than anticipated when processing a specially crafted value. A remote attacker can gain unauthorized access to sensitive information on the system.

22) Improper input validation (CVE-ID: CVE-2018-15756)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in Pivotal Software Spring Framework due to improper handling of range requests. A remote attacker can send a specially crafted request that contains an additional range header with a high number of ranges or with wide ranges that overlap and cause the service to crash.

23) Improper input validation (CVE-ID: CVE-2018-11771)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to an error when processing malicious input. A remote attacker can trick the victim into processing a specially crafted ZIP archive with 'java.io.InputStreamReader', trigger an error in detecting the end of the file and cause the service to crash.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2020:0983

SB2020032701 - Multiple vulnerabilities in Red Hat Fuse

Breakdown by Severity

Description

Remediation

References

Please verify you're human