Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.
Spring REST Data is not supported in RHOAR.
Please be sure to select a version of Spring REST Data which is not affected by this issue.
Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
While there might be compatibility issues upgrading Spring REST Data independently of the Spring Boot version we recommend that customers make sure they are using a fixed version of Spring Data REST 2.6.9, or 3.0.1. RHOAR has now upgraded to version 1.5.10 of Spring Boot which is compatible with fixed versions of Spring DATA Rest.
This issue has been addressed in the following products:
Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7
Via RHSA-2018:2405 https://access.redhat.com/errata/RHSA-2018:2405