7.5 - RHSA-2019:3002

Executive Summary

Summary
Title	Red Hat FIS 2.0 on Fuse 6.3.0 R13 security and bug fix update

Informations
Name	RHSA-2019:3002	First vendor Publication	2019-10-10
Vendor	RedHat	Last vendor Modification	2019-10-10
Severity (Vendor)	N/A	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update is now available for Red Hat Fuse Integration Services.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Description:

Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift.

Security fix(es):

* jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

* jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Updating instructions and release notes may be found at:

https://access.redhat.com/articles/3060411

4. Bugs fixed (https://bugzilla.redhat.com/):

1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis

5. References:

https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/3060411

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2019-3002.html

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-502	Deserialization of Untrusted Data

CPE : Common Platform Enumeration

Type	Description	Count
Application	Fasterxml Jackson-Databind cpe:2.3:a:fasterxml:jackson-databind:2.9.0:-:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease1:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease2:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease3:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:prerelease4:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr1:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr2:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr3:::::: cpe:2.3:a:fasterxml:jackson-databind:2.9.0:pr4:::::: cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc2:::::: cpe:2.3:a:fasterxml:jackson-databind:2.8.0:rc1:::::: cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc1:::::: cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc2:::::: cpe:2.3:a:fasterxml:jackson-databind:2.7.0:rc3:::::: cpe:2.3:a:fasterxml:jackson-databind::::::::	15
Application	Netapp Oncommand Workflow Automation cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*	1
Application	Netapp Snapcenter cpe:2.3:a:netapp:snapcenter:-:::::::*	1
Application	Netapp Steelstore Cloud Integrated Storage cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:::::::: cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*	2
Application	Oracle Banking Platform cpe:2.3:a:oracle:banking_platform:2.6.2:::::::* cpe:2.3:a:oracle:banking_platform:2.6.1:::::::* cpe:2.3:a:oracle:banking_platform:2.6.0:::::::* cpe:2.3:a:oracle:banking_platform:2.5.0:::::::*	4
Application	Oracle Business Process Management Suite cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::* cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:::::::*	2
Application	Oracle Clusterware cpe:2.3:a:oracle:clusterware:12.1.0.2.0:::::::*	1
Application	Oracle Communications Billing And Revenue Management cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0:::::::* cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:::::::*	2
Application	Oracle Communications Instant Messaging Server cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:::::::* cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.2.0:::::::*	2
Application	Oracle Database Server cpe:2.3:a:oracle:database_server:19c:::::::* cpe:2.3:a:oracle:database_server:18c:::::::* cpe:2.3:a:oracle:database_server:12.2.0.1:::::::* cpe:2.3:a:oracle:database_server:12.1.0.2:::::::* cpe:2.3:a:oracle:database_server:11.2.0.4:::::::*	5
Application	Oracle Enterprise Manager For Virtualization cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.3.1:::::::* cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:::::::* cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:::::::*	3
Application	Oracle Financial Services Analytical Applications Infrastructure cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.5:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.4:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.3:::::::* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.2:::::::*	6
Application	Oracle Global Lifecycle Management Opatch cpe:2.3:a:oracle:global_lifecycle_management_opatch:11.2.0.3.23:::::::* cpe:2.3:a:oracle:global_lifecycle_management_opatch::::::::	2
Application	Oracle Jd Edwards Enterpriseone Orchestrator cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:::::::*	1
Application	Oracle Jd Edwards Enterpriseone Tools cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*	1
Application	Oracle Jdeveloper cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:::::::* cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:::::::*	2
Application	Oracle Nosql Database cpe:2.3:a:oracle:nosql_database:19.3.12:::::::* cpe:2.3:a:oracle:nosql_database::::::::	2
Application	Oracle Primavera P6 Enterprise Project Portfolio Management cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.7:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:17.12:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.0:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.0:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.3:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.2:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:7.0:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.2.1:::::::* cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.1:::::::*	15
Application	Oracle Primavera Unifier cpe:2.3:a:oracle:primavera_unifier:18.8:::::::* cpe:2.3:a:oracle:primavera_unifier:17.9:::::::* cpe:2.3:a:oracle:primavera_unifier:17.8:::::::* cpe:2.3:a:oracle:primavera_unifier:17.7:::::::* cpe:2.3:a:oracle:primavera_unifier:17.6:::::::* cpe:2.3:a:oracle:primavera_unifier:17.5:::::::* cpe:2.3:a:oracle:primavera_unifier:17.4:::::::* cpe:2.3:a:oracle:primavera_unifier:17.3:::::::* cpe:2.3:a:oracle:primavera_unifier:17.2:::::::* cpe:2.3:a:oracle:primavera_unifier:17.12:::::::* cpe:2.3:a:oracle:primavera_unifier:17.11:::::::* cpe:2.3:a:oracle:primavera_unifier:17.10:::::::* cpe:2.3:a:oracle:primavera_unifier:17.1:::::::* cpe:2.3:a:oracle:primavera_unifier:17.0:::::::* cpe:2.3:a:oracle:primavera_unifier:16.2.4.0:::::::* cpe:2.3:a:oracle:primavera_unifier:16.2.1.0:::::::* cpe:2.3:a:oracle:primavera_unifier:16.2:::::::* cpe:2.3:a:oracle:primavera_unifier:16.1:::::::* cpe:2.3:a:oracle:primavera_unifier:16.0:::::::* cpe:2.3:a:oracle:primavera_unifier:15.2:::::::* cpe:2.3:a:oracle:primavera_unifier:15.1:::::::* cpe:2.3:a:oracle:primavera_unifier:15.0:::::::* cpe:2.3:a:oracle:primavera_unifier:10.2:::::::* cpe:2.3:a:oracle:primavera_unifier:10.1:::::::* cpe:2.3:a:oracle:primavera_unifier:10.0:::::::* cpe:2.3:a:oracle:primavera_unifier:9.14:::::::* cpe:2.3:a:oracle:primavera_unifier:9.13:::::::* cpe:2.3:a:oracle:primavera_unifier::::::android::* cpe:2.3:a:oracle:primavera_unifier::::::iphone_os::* cpe:2.3:a:oracle:primavera_unifier:::::android:::* cpe:2.3:a:oracle:primavera_unifier:::::iphone_os:::*	31
Application	Oracle Retail Customer Management And Segmentation Foundation cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:::::::*	1
Application	Oracle Retail Merchandising System cpe:2.3:a:oracle:retail_merchandising_system:16.0:::::::* cpe:2.3:a:oracle:retail_merchandising_system:15.0:::::::*	2
Application	Oracle Retail Workforce Management Software cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:::::::*	1
Application	Oracle Siebel Ui Framework cpe:2.3:a:oracle:siebel_ui_framework:18.9:::::::* cpe:2.3:a:oracle:siebel_ui_framework:18.8:::::::* cpe:2.3:a:oracle:siebel_ui_framework:18.7:::::::* cpe:2.3:a:oracle:siebel_ui_framework:18.11:::::::* cpe:2.3:a:oracle:siebel_ui_framework:18.10:::::::* cpe:2.3:a:oracle:siebel_ui_framework:18.0:::::::* cpe:2.3:a:oracle:siebel_ui_framework:17.0:::::::* cpe:2.3:a:oracle:siebel_ui_framework:16.1:::::::* cpe:2.3:a:oracle:siebel_ui_framework:16.0:::::::* cpe:2.3:a:oracle:siebel_ui_framework:8.2.2:::::::* cpe:2.3:a:oracle:siebel_ui_framework:8.1.1:::::::* cpe:2.3:a:oracle:siebel_ui_framework::::::::	12
Application	Oracle Utilities Advanced Spatial And Operational Analytics cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:::::::*	1
Application	Oracle Webcenter Portal cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*	1
Application	Redhat Automation Manager cpe:2.3:a:redhat:automation_manager:7.3.1:::::::*	1
Application	Redhat Decision Manager cpe:2.3:a:redhat:decision_manager:7.3.1:::::::*	1
Application	Redhat Jboss Bpm Suite cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:::::::*	1
Application	Redhat Jboss Brms cpe:2.3:a:redhat:jboss_brms:6.4.10:::::::*	1
Application	Redhat Jboss Enterprise Application Platform cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:::::::*	1
Application	Redhat Openshift Container Platform cpe:2.3:a:redhat:openshift_container_platform:4.6.1:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.6:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.5.16:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.5:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.4:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.3:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.2:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.9.31:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.9:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.8:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.7:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.6:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.5:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.4:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.3:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.2:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.11.286:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.10:::::::* cpe:2.3:a:redhat:openshift_container_platform:3.1:::::::* cpe:2.3:a:redhat:openshift_container_platform:2.2:::::::* cpe:2.3:a:redhat:openshift_container_platform:::::::: cpe:2.3:a:redhat:openshift_container_platform:-:::::::*	25
Application	Redhat Single Sign-On cpe:2.3:a:redhat:single_sign-on:7.3:::::::*	1
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:o:debian:debian_linux:8.0:::::::*	2
Os	Fedoraproject Fedora cpe:2.3:o:fedoraproject:fedora:29:::::::*	1

Alert History

If you want to see full details history, please login or register.

Date	Informations
2020-03-19 13:19:20	First insertion

Global Informations

Type	Count
CWE ID(s)	8
CPE ID(s)	150

	Related
9.8	CVE-2018-19362
9.8	CVE-2018-19361
9.8	CVE-2018-19360
9.8	CVE-2018-14719
9.8	CVE-2018-14718
9.8	CVE-2018-11307
7.5	CVE-2018-12023
7.5	CVE-2018-12022
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 8 more Alert(s)

7.5 - RHSA-2019:3002

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU