[RHSA-2014:0497-01] Important: Red Hat JBoss Fuse 6.1.0 security update

bugzilla at redhat.com bugzilla at redhat.com
Wed May 14 18:39:11 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse 6.1.0 security update
Advisory ID:       RHSA-2014:0497-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-0497.html
Issue date:        2014-05-14
CVE Names:         CVE-2014-0114 
=====================================================================

1. Summary:

Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one
security issue, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)

Refer to the readme.txt file included with the patch files for
installation instructions.

All users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer
Portal are advised to apply this security update.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-0114.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFTc7gtXlSAg2UNWIIRAr7cAJ9zJ3uqGVLEEney+gk6nhCGJ50PIgCfa7iV
8U92NLXYlBTNpH4tE6VvPCA=
=UW0c
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list