RHSA-2018:2405: Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R7 security and bug fix update
Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift.Security fix(es): undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code (CVE-2017-8046) spring-framework: Improper URL path validation allows for bypassing of security checks on static resources (CVE-2018-1199) ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints (CVE-2018-1295) spark: Absolute and relative pathnames allow for unintended static file disclosure (CVE-2018-9159) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2018:2405?
The severity of RHSA-2018:2405 is categorized as important.
How do I fix RHSA-2018:2405?
To fix RHSA-2018:2405, update the Red Hat Fuse Integration Services to the latest available version that addresses the vulnerabilities.
What vulnerabilities are addressed in RHSA-2018:2405?
RHSA-2018:2405 addresses multiple vulnerabilities related to undertow, specifically issues with Digest authentication.
Which Red Hat products are affected by RHSA-2018:2405?
RHSA-2018:2405 affects Red Hat Fuse Integration Services and associated xPaaS images.
When was RHSA-2018:2405 released?
RHSA-2018:2405 was released on October 10, 2018.