RHSA-2014:0452: Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update

Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliantmessaging system that is tailored for use in mission critical applications.This release of Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3 is an updateto Fuse ESB Enterprise 7.1.0 and Fuse MQ Enterprise 7.1.0. It includesvarious bug fixes, which are listed in the README file included with thepatch files.The following security issues are also addressed with this release:It was found that XStream could deserialize arbitrary user-supplied XMLcontent, representing objects of any type. A remote attacker able to passXML to XStream could use this flaw to perform a variety of attacks,including remote code execution in the context of the server running theXStream application. (CVE-2013-7285)It was found that the Apache Camel XSLT component allowed XSL stylesheetsto call external Java methods. A remote attacker able to submit messages toa Camel route could use this flaw to perform arbitrary remote codeexecution in the context of the Camel server process. (CVE-2014-0003)It was found that the ParserPool and Decrypter classes in the OpenSAML Javaimplementation resolved external entities, permitting XML External Entity(XXE) attacks. A remote attacker could use this flaw to read filesaccessible to the user running the application server and, potentially,perform other more advanced XXE attacks. (CVE-2013-6440)It was found that the Apache Camel XSLT component would resolve entities inXML messages when transforming them using an XSLT route. A remote attackerable to submit messages to an XSLT Camel route could use this flaw to readfiles accessible to the user running the application server and,potentially, perform other more advanced XXE attacks. (CVE-2014-0002)A denial of service flaw was found in the way Apache Commons FileUploadhandled small-sized buffers used by MultipartStream. A remote attackercould use this flaw to create a malformed Content-Type header for amultipart request, causing Apache Commons FileUpload to enter an infiniteloop when processing such an incoming request. (CVE-2014-0050)The CVE-2014-0002 and CVE-2014-0003 issues were discovered by David Jorm ofthe Red Hat Security Response Team, and the CVE-2013-6440 issue wasdiscovered by David Illsley, Ron Gutierrez of Gotham Digital Science, andDavid Jorm of the Red Hat Security Response Team.All users of Fuse ESB Enterprise/MQ Enterprise 7.1.0 as provided from theRed Hat Customer Portal are advised to upgrade to Fuse ESB Enterprise/MQEnterprise 7.1.0 R1 P3.