RHSA-2014:0323: Important: Red Hat JBoss Fuse/A-MQ 6.0.0 security update

Red Hat JBoss Fuse 6.0.0 is an integration platform based on ApacheServiceMix. Red Hat JBoss A-MQ 6.0.0, based on Apache ActiveMQ, is astandards compliant messaging system that is tailored for use in missioncritical applications.This patch is an update to Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ6.0.0. It includes bug fixes, which are documented in the readme fileincluded with the patch files.The following security issues are fixed with this release:It was found that XStream could deserialize arbitrary user-supplied XMLcontent, representing objects of any type. A remote attacker able to passXML to XStream could use this flaw to perform a variety of attacks,including remote code execution in the context of the server running theXStream application. (CVE-2013-7285)It was found that the Apache Camel XSLT component allowed XSL stylesheetsto call external Java methods. A remote attacker able to submit messages toa Camel route could use this flaw to perform arbitrary remote codeexecution in the context of the Camel server process. (CVE-2014-0003)It was found that the Apache Camel XSLT component would resolve entities inXML messages when transforming them using an XSLT route. A remote attackerable to submit messages to an XSLT Camel route could use this flaw to readfiles accessible to the user running the application server and,potentially, perform other more advanced XML External Entity (XXE) attacks.(CVE-2014-0002)The CVE-2014-0003 and CVE-2014-0002 issues were discovered by David Jorm ofthe Red Hat Security Response Team.All users of Red Hat JBoss Fuse 6.0.0 and Red Hat JBoss A-MQ 6.0.0 asprovided from the Red Hat Customer Portal are advised to apply this patch.