Red Hat SummitChapter 8. Fixed Issues in Fuse 7.12
The following sections list the issues that have been fixed in Fuse 7.12 and Fuse 7.12.1:
8.1. Enhancements in Fuse 7.12
| Issue | Description |
|---|---|
| Expose loaded plugins to avoid multiple requests to PluginServlet | |
| Fuse Console - Allow the possibility to set label at the hawtio CR | |
| Certify Fuse 7 on OpenJDK 17 before ELS | |
| operators.openshift.io/valid-subscription annotation for operator metadata bundles | |
| ensure all CXF tests passed with JDK17 | |
| Certify Fuse 7 on RHEL 9 | |
| Upgrade to EAP-7.4.10.GA-redhat-00002 |
8.2. Component Upgrades in Fuse 7.12
The following table lists the component upgrades in Fuse 7.12.
| Issue | Description |
|---|---|
| Upgrade Spring Boot to 2.7.12 | |
| Align camel test dependencies to be compatible with JDK17 | |
| Align to kafka-clients v3 |
8.3. Bugs resolved in Fuse 7.12
The following tables list the resolved bugs in Fuse 7.12.
| Issue | Description |
|---|---|
| Offline repository contains org.jboss.fuse.fis.archetypes group name artfacts | |
| Next button disabled in SQS step creation until I change the autopopulated queue value | |
| Restore using operator binary not working as expected | |
| Operator instructions unclear and secret create steps are not easy to debug | |
| Discovery of deployed integration API seems disabled but not really | |
| support for multicast queue | |
| Error exclamation marks doesn’t show error message | |
| Build leveldb-jni for x86 | |
| validation error when connecting to an https endpoint | |
| Failed to watch errors printed in the operator logs | |
| Hawtio - CSP issues when using Hawtio with Keycloak | |
| FIPS on OCP - Jolokia agent doesn’t start due to unsupported security encoding | |
| FIPS on OCP - karaf-maven-plugin assembly goal fails to unsupported security provider | |
| Quickstart spring-boot-camel-amq integrations tests references old AMQ Broker version | |
| Provide a source container image for apicurito | |
| [Syndesis] CVE-2022-24785 Moment.js: Path traversal in moment.locale [fuse-7] | |
| Fuse hawtio includes HTTPClient 3.1 - CVE-2012-5783 | |
| AMQ6 image - V2 schema 1 manifest digest are no longer supported for image pulls | |
| Missing dataformats fhir-json/fhir-xml/xml-json in runtime specific catalogs | |
| Send correct UMB messages for container builds | |
| Camel http4 producer encodes array data to the http uri parameter as comma separated instead of multi-values parameters | |
| CVE-2022-42920 apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fuse-7] | |
| Backport request for ENTMQCL-2977 to Fuse 7.11.x | |
| CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception [fuse-7] | |
| Incomplete fix of CVE-2020-13956 | |
| CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [fuse-7] | |
| CVE-2022-41854 dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow [fuse-7] | |
| CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability [fuse-7] | |
| CVE-2022-38398 batik: Server-Side Request Forgery [fuse-7] | |
| CVE-2022-38648 batik: Server-Side Request Forgery [fuse-7] | |
| CVE-2022-46364 CXF: Apache CXF: SSRF Vulnerability [fuse-7] | |
| CVE-2022-46363 CXF: Apache CXF: directory listing / code exfiltration [fuse-7] | |
| CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client [fuse-7] | |
| CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions [fuse-7] | |
| Errors during Karaf startup with jdk17 | |
| Errors during EAP startup with jdk17 | |
| CVE-2022-45143 tomcat: JsonErrorReportValve injection [fuse-7] | |
| CVE-2022-36437 hazelcast: Hazelcast connection caching [fuse-7] | |
|
Review patch-maven-plugin | |
| A custom fuse console route doesn’t work. | |
| AutomaticRecovery from RabbitMQ Connection Factory is always creating a new connection | |
| fuse-patch may incorrectly report that a patch has already been applied | |
| netty4-http forwards a bad response (exception + http code 200) | |
| CXF test errors after upgrading to Karaf 4.4 and Pax Web 8 | |
| Any issue with camel-aws 2.23 component with TLS 1.3 in Fuse 7.11 ? | |
| Camel test errors after upgrading to Karaf 4.4 and Pax Web 8 | |
| Multicast not returning aggregated | |
| Hazelcast upgrade seems to break JCache Integration | |
| Wrong javax/mail/mail version used in fuse projects. | |
| Wrong log4j-slf4j18-impl version is used fuse projects. | |
| [Hawtio] Can’t login in Karaf | |
| CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element’s hash values raising a stack overflow [fuse-7] | |
| cxf - server transport isn’t up properly | |
| [Karaf] JCE cannot authenticate the provider BC | |
| Use groupified API versions in json files | |
| Karaf pax web - OPTIONS methods not exposed | |
| Hibernate fuse version clashes with spring boot | |
| [Karaf] JMX ACL MBean authentification problem | |
| [Karaf] 10 features cannot be installed | |
| Fuse archetype Spring Boot properties in SB1 format | |
| camel-master component is unable to load cluster service | |
| CVE-2023-1108 undertow: Infinite loop in SslConduit during close [fuse-7] | |
| [Karaf] Jasypt encryption problem JDK 17 and RHEL8-FIPS | |
| [Standalone] No response messages via fuse client | |
| [Standalone] Colorised commands in history | |
| [Fuse on Openshift] - Wrong Docker image reference in Quickstarts | |
| [Fuse on Openshift] - Application templates - No tag "1.12" with image streams in fis-image-streams.json | |
| [Fuse on Openshift] - Wrong WILDFLY version in EAP images JDK8/11 | |
| [Fuse on Openshift] - Application templates - Templates filled with old 7.11 references | |
| [Patching] Unable to patch 7.11 to 7.12 | |
| [karaf FoO] unable to use client into the POD | |
| CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern [fuse-7] | |
| CVE-2023-20861 springframework: Spring Expression DoS Vulnerability [fuse-7] | |
| Camel 2.23 tests do not support jdk17 | |
| Wildfly Camel 5.10 tests do not support jdk17 | |
| CXF 3.3.6 tests do not support jdk17 | |
| [Karaf] Doesn’t install features | |
| Camel Mail Component doesn’t use host/port information from session URI parameter | |
| CVE-2022-4492, ensure that Syndesis is using fixed undertow | |
| CVE-2023-1108 undertow: Infinite loop in SslConduit during close (fuse online) | |
| CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG [fuse-7] | |
| CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik [fuse-7] | |
| CVE-2023-22602 shiro-core: shiro: Authentication bypass through a specially crafted HTTP request [fuse-7] | |
| [Fuse On Openshift] QS spring-boot-camel-amq contains a removed image | |
| [Fuse On Openshift] QS Spring-Boot Camel Rest SQL reports wrong deployment step in README | |
| [Fuse On Openshift] Adjust Pod metering label rht.prod_ver formatting | |
| [Fuse on Openshift] QS Spring-Boot Camel Config fails on Spring Cloud due to SB upgrade | |
| Unable to install karaf features separately | |
| [Fuse On Openshift] QS Spring-Boot Camel Rest SQL throws bad SQL grammar exception | |
| [Fuse On Openshift] QS Spring-Boot Camel XA throws bad SQL grammar exception on PostGresSQL connection | |
| Hawtio console metrics shows free memory instead of used | |
| Pax-web-jetty features cannot be installed | |
| [Fuse standalone] Exception in log jdk11 and jdk17 | |
| CVE-2023-20860, ensure that Syndesis is using fixed springframework | |
| Cannot install CVE patch on top of 7.12 | |
| CVE-2022-41854, ensure that Syndesis is using fixed snakeyaml | |
| Remove org.apache.tomcat.embed dependencies from cxf-spring-boot-starter-jaxrs | |
| [Fuse On Openshift] QS Spring-Boot Camel-Drools, unable to create Kie Server | |
| [Fuse on Openshift] QS Spring Boot Camel Singleton, app won’t start | |
| [Fuse on Openshift] - Karaf - Unable to resolve missing rquirement in a cxf-jaxrs application | |
| CVE-2023-20861, ensure that Syndesis is using fixed springframework | |
| CVE-2022-41946, ensure that Syndesis is using fixed jdbc-postgresql | |
| Karaf, some bundle versions are not inline with versions specified in karaf-bom | |
| Memory leak in pax-url-aether | |
| CXF 3.3.6 downstream failures | |
| CVE-2023-20863 springframework: Spring Expression DoS Vulnerability [fuse-7] | |
| Unattended Jolokia Queries Not Working When Keycloak is Integrated for Access Control | |
| [Offliner] Files cannot be downloaded using offliner manifest file | |
| [Offliner] Missing artifacts | |
| Apicurito pods contain metering labels with incorrect values | |
| CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) [fuse-7] | |
| [Fuse on Openshift] Wrong version in Quickstart BOM | |
| Remove or refactor non-working quickstart spring-boot-camel-soap-rest-bridge | |
| Wildfly camel 5.10.0 downstream failure | |
| [Fuse on Openshift] - Illegal access on java.xml module using Karaf, jaxws and JDK17, because xerces packages are not exposed | |
| [Fuse on Openshift] - In camel-jdbc on Karaf, can’t retrieve a column from the body exchange | |
| Camel-Velocity: Deprecation warnings | |
| SpringFramework caches a missed TypeConverter and user can not clean it | |
| [Fuse On Openshift] - Dismiss/Remove RHOSAK Quickstarts | |
| CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security [fuse-7] | |
| Invalid qualifier for Karaf bundle | |
| CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability [fuse-7] | |
| patch-maven-plugin doesn’t work with Maven 3.9 | |
| Missing refs/tags on GitHub | |
| [Fuse Standalone] Camel-chunk feature missing dependency | |
| CXF 3.3.6 downstream failures | |
| CVE-2023-1370, ensure that Syndesis is using fixed json-smart | |
| [Karaf] Jasypt encryption problem JDK 17 and RHEL8-FIPS | |
| Camel health check behaviour change on Spring Boot runtime |
8.4. Bugs resolved in Fuse 7.12.1
The following tables list the resolved bugs in Fuse 7.12.1.
| Issue | Description |
|---|---|
| New Fuse Console deployments don’t work after yearly "openshift-service-serving-signer" certificate rotation. | |
| [JDG-4351][JBMAR-235] camel-infinispan requires jboss-marshalling update from 2.0.9.Final to 2.0.11.Final onwards | |
| Fuse on Openshift image uses very old jmx_prometheus_javaagent.jar | |
| Karaf won’t start when using JDK 11.0.20 | |
| NullPointerException when logging is at WARN level | |
| Problem using -Dpatch for patch-maven-plugin with Maven 3.9 | |
| Cannot install patch 7.12.1 on top of 7.12 | |
| camel-http4 with toD does not work on Karaf | |
| pollEnrich files component behavior change between 6.3 and 7.11 | |
| CVE-2023-46604 activemq-openwire: OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack [fuse-7] | |
| CVE-2023-40167 jetty-http: jetty: Improper validation of HTTP/1 content-length [fuse-7] | |
| CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling [fuse-7] | |
| CVE-2023-36479 jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet [fuse-7] | |
| CVE-2023-39410 avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK [fuse-7] | |
| CVE-2023-34034 spring-security: spring-security-webflux: path wildcard leads to security bypass [fuse-7] | |
| CVE-2023-44487 undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [fuse-7] | |
| CVE-2023-36478 http2-hpack: jetty: hpack header values cause denial of service in http/2 [fuse-7] | |
| CVE-2023-41900 jetty-openid: jetty: OpenId Revoked authentication allows one request [fuse-7] |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}