Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 8. Fixed Issues in Fuse 7.11, 7.11.1 and {version-micro-1-patch-1}
The following sections list the issues that have been fixed in Fuse 7.11:
8.1. Enhancements in Fuse {version-micro-1-patch-1}
| Issue | Description |
|---|---|
| Ability to patch fuse-karaf-framework
Review patch-maven-plugin |
8.1.1. Fuse Online {version-micro-1-patch-1}
With the fix in ENTESB-18335, you can use patching information from the patch-maven-plugin in a Maven project that builds a custom Karaf distribution.
You can do this by passing patch metadata information between org.jboss.redhat-fuse/patch-maven-plugin and org.jboss.redhat-fuse/karaf-maven-plugin (a repackaged org.apache.karaf.tooling/karaf-maven-plugin). However, the format of this information is not compatible with org.apache.maven.plugins/maven-surefire-plugin.
Using org.jboss.redhat-fuse/karaf-maven-plugin
8.1.1.1. Normal scenario
When using Fuse Karaf, Fuse Spring Boot, and Fuse EAP, it is important to use a relevant BOM, as shown in the following examples:
Fuse Karaf
Fuse EAP
Fuse SpringBoot
With these BOMS, you typically declare karaf-maven-plugin like this:
Sample karaf-maven-plugin declaration
8.1.1.2. Using org.jboss.redhat-fuse/karaf-maven-plugin for patching
The benefit of using org.jboss.redhat-fuse/karaf-maven-plugin is that you can use the same version of the BOM and declare another plugin - the patch-maven-plugin:
Sample patch-maven-plugin declaration
With the patch-maven-plugin extension, every build is compared to available CVE fixes in Red Hat’s Maven repository, meaning every build can be patched according to the metadata provided by the CVE metadata.
8.1.1.3. Fixing the problem of patch-maven-plugin
The fixes to the plugins (patch-maven-plugin and karaf-maven-plugin) are available in versions that are different from the BOM version.
For a Karaf Maven project, this means the setup can contain different versions in the fuse and plugins properties:
Sample Karaf Maven Project
While the BOM version doesn’t change, a new version of the BOM is necessary for the patch-maven-plugin and the karaf-maven-plugin.
8.2. Enhancements in Fuse 7.11 and 7.11.1
The following table lists the enhancements in Fuse 7.11 and Fuse 7.11.1.
| Issue | Description |
|---|---|
| Performance improvements on Camel File component |
| Issue | Description |
|---|---|
| Remove deprecated algorithms from karaf ssh | |
| More flexible Fuse-Karaf feature patching | |
| Viewing AMQ Brokers from Fuse Console as a GA functionality |
8.3. Feature requests in Fuse 7.11
The following table lists the features requests in Fuse 7.11.
| Issue | Description |
|---|---|
| CSV Support in Atlasmap | |
| Add option to not install AMQ Broker | |
| OCP and RHEL FIPS support in Fuse [Standalone/FoO]] | |
| "Create ""latest"" OLM channel" | |
| [Fuse Console] Add a preference to toggle on/off the side nav by default | |
| [Fuse Console] Spring Boot Info view |
8.4. Component Upgrades in Fuse 7.11 and 7.11.1
The following table lists the component upgrades in Fuse 7.11.1.
| Issue | Description |
|---|---|
| Upgrade to BouncyCastle 1.72 | |
| Upgrade Artemis plugin to AMQ 7.10.1 |
The following table lists the component upgrades in Fuse 7.11.
| Issue | Description |
|---|---|
| Align to EAP 7.4.4 | |
| Align to Spring Boot 2.5.12 / Spring Framework 5.3.18 / Spring Security 5.5.5 | |
| Upgrade to camel-2.23.2.fuse-7_11_0-00012 | |
| Align to EAP 7.4.5 | |
| Upgrade to Xerces 2.12.2 / SMX 2.12.2_1 | |
| Align to ActiveMQ 5.11.0.redhat-630516 (6.3.0.R20) | |
| Upgrade to felix.fileinstall 3.7.x | |
| Fuse Online 7.11 Component Alignment | |
| Upgrade to Undertow 2.2.16 | |
| Align to A-MQ 7.8.4 | |
| Upgrade to xchange 5.0.11 |
8.5. Bugs resolved in Fuse 7.11 and 7.11.1
The following tables list the resolved bugs in Fuse 7.11, and 7.11.1.
| Issue | Description |
|---|---|
| CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [fuse-7] | |
| EMPTY TAGS IN XML AND NULL VALUES IN JSON VR.2.3.17 | |
| Transforming a json body via JSONPath returns a string where the json object keys aren’t quoted | |
| CXF client sends the SOAPAction header without quotes | |
| The MBeanInvocationHandler fix in JIRA ENTESB-19690 was incomplete and it ends up with an UndeclaredThrowableException being thrown. ] | |
| Backport KARAF-7234 fix for MBeanInvocationHandler | |
| mimeMultipart dataformat is not included in the XML DSL for marshal/unmarshal | |
| [Hawtio] 014 Missing setting allows cookies to be sent from third parties | |
| [Hawtio] 009 Insecure CORS policy may allow malicious scripts to steal user data | |
| [Hawtio] 005 Web server responses missing referrer-policy header | |
| [Hawtio] 001 Misconfiguration may expose users to Click-jacking | |
| java.lang.ClassNotFoundException: com.mongodb.event.ConnectionPoolCreatedEvent | |
| Review Bootstrap CVEs reported by UPS | |
| Micrometer Dependency Issue wrt Spring Boot and Camel | |
| AutomaticRecovery from RabbitMQ Connection Factory doesn’t recover from everythin | |
| fabric8-camel:validate fails downloading the right camel version | |
| Create api connector from wsdl throws Missing property portName | |
| In the split(), camel-jpa producer creates a new EntityManager and does not obtain one from the current transaction | |
| camel-jpa producer does not reuse existing EntityManager in transaction and create its own one | |
| Operator fails to create an Apicurito CR with a route hostname option configured | |
| com.jcraft.jsch module missing bouncycastle dependency | |
| CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS [fuse-7] | |
| Cannot build Fuse 7 project with spring-boot-starter-webflux | |
| The "fuse-pax-transx-tm-narayana" bundle is missing "javax.security.cert" import packages | |
| CVE-2022-33980 commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] | |
| For a springboot CXF deployment, "server.shutdown=graceful" does not work as expected | |
| CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function [fuse-7] | |
| Multibyte characters garbled when importing a json file by API Designer | |
| access logging support by cxf with embedded undertow server on karaf does not log URI | |
| CVE-2022-2053 undertow: Large AJP request may cause DoS [fuse-7] | |
| Errors when deploying the .kar file | |
| camel-salesforce throwing java.lang.IllegalArgumentException: Buffering capacity 4194304 exceeded | |
| Cannot use a custom route in Fuse Console deployed by Operator | |
| CVE-2022-24785 Moment.js: Path traversal in moment.locale [fuse-7] |
| Issue | Description |
|---|---|
| camel-sftp: check for existance of remote directory using ls is very slow | |
| "Fuse console on OCP — broker management feature is unusable | |
| Fuse Online is not able to be installed on OpenShift 4.11 (nightly build) | |
| Viewing AMQ Brokers from Fuse Console as a GA functionality | |
| Camel Kafka Component unable to load Kerberos LoginModule | |
| "statistics Level ""RoutesOnly"" include processors metrics" | |
| AMQP connection failover doesn’t work when connecting to AMQ Broker via OpenShift routes | |
| CVE-2022-22968 in Fuse 7 | |
| Unable to install 6 Karaf features | |
| Attempts to get / read entities fail when using an external transaction context | |
| EntityManager not shared with parent context. | |
| camel-jms - InOut with reply-to-type shared - race condition | |
| CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects [fuse-7] | |
| enricher causes connection leak | |
| Fuse console operator installed from Operator Hub does not define resource requests or limits | |
| CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS [fuse-7] | |
| camel-openapi-java - Schema Definitions not generating correctly | |
| "ROUTE_HOSTNAME is not available with the Operator ""Red Hat Integration - API Designer""" | |
| Fuse Online Installation Fails on OpenShift 4.6 and Succeeds on OpenShift 4.8 With Same Hardware and Resources | |
| left/right/end keys do not work in Fuse/karaf shell on Windows through SSH | |
| CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) [fuse-7] | |
| Log4j2 in 7.x is slower than Log4j in 6.x | |
| CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes [fuse-7] | |
| Issue with the ref endpoint | |
| CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data [fuse-7] | |
| CVE-2022-23181 tomcat: local privilege escalation vulnerability [fuse-7] | |
| toCharArray fails when used with property in fuse on Windows | |
| input Streeam not closed when jmsMessageType=Stream | |
| Suboptimal locking in CXF | |
| CVE-2021-42550 logback-classic: logback: remote code execution through JNDI call from within its configuration file [fuse-7] | |
| Fuse 7 BlueprintPropertiesParser ConcurrentModificationException | |
| Spring security implementation using aries-blueprint-spring feature | |
| camel-cxf mtomEnabled property is wrongly override | |
| Fuse 7 on EAP 7: ClassNotFoundException: org.springframework.web.context.support.WebApplicationContextUtils | |
| CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries [fuse-7] | |
| The camel-core 2.23.2.fuse-7_10_0-00020-redhat-00001 has jaxb 2.3.0 dependency | |
| Problem parsing JDBC URL for DB2 with properties in pax-jdbc-db2 | |
| [CAMEL-14372] Validator component fails with java.lang.IllegalArgumentException: protocol = http host = null | |
| [7.x] NPEs logged when a field is empty/null in SAP Document | |
| CXF producer can not process payloads worth more than 16KB if streaming is off and maxRetransmits > 1 | |
| "[7.x] The pax-web-jetty library disabled HTTP TRACE method by incorrectly exposing ""javax.servlet.ServletException""" | |
| Atlas Map - The custom transformation doesn’t appear in the dropdown box | |
| Atlas Map - same name element with a different inline type in the XSD is wrongly cached | |
| LC_ALL cannot be set in Fuse Image 7.9.0 | |
| "Fuse + AtlasMap: Unrecognized field ""dataSourceType"" " | |
| [HHH-14229] javax.persistence.ForeignKey doesn’t respect ConstraintMode.NO_CONSTRAINT | |
| Fuse console client auth fails when multiple cert authorities are present in jolokia caCert file | |
| [Hawtio] Logout button disappears | |
| "On Camel MLLP component ENTESB-17673 [Hawtio] Latest chrome version differs from RHEL7 and RHEL8 | |
| CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS [fuse-7] | |
| Read timeout doesn’t work on camel undertow producer |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}