Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-6823-01

Red Hat Security Advisory 2022-6823-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

Packet Storm
#vulnerability#mac#linux#red_hat#dos#redis#js#java#jira#sap

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.7 Security update
Advisory ID: RHSA-2022:6823-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6823
Issue date: 2022-10-05
CVE Names: CVE-2022-1259 CVE-2022-2053 CVE-2022-25857
=====================================================================

  1. Summary:

A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.4 for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat JBoss EAP 7.4 for RHEL 9 - noarch, x86_64

  1. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime. This release of Red
Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for
Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes
and enhancements. See the Red Hat JBoss Enterprise Application Platform
7.4.7 Release Notes for information about the most significant bug fixes
and enhancements included in this release.

Security Fix(es):

  • undertow: Large AJP request may cause DoS (CVE-2022-2053)

  • undertow: potential security issue in flow control over HTTP/2 may lead
    to DOS. Incomplete fix for CVE-2021-3629 (CVE-2022-1259)

  • snakeyaml: Denial of Service due missing to nested depth limitation for
    collections. (CVE-2022-25857)

  1. Solution:

Before applying this update, ensure all previously released errata relevant
to your system have been applied. For details about how to apply this
update, see: https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
2095862 - CVE-2022-2053 undertow: Large AJP request may cause DoS
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections

  1. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-23620 - Tracker bug for the EAP 7.4.7 release for RHEL-9
JBEAP-23687 - GSS Upgrade Ironjacamar from 1.5.3.SP1-redhat-00001 to 1.5.3.SP2-redhat-00001
JBEAP-23738 - (7.4.z) Upgrade jastow from 2.0.9.Final-redhat-00001 to 2.0.11.Final-redhat-00001
JBEAP-23741 - GSS Upgrade Undertow from 2.2.18.SP2-redhat-00001 to 2.2.19.SP2-redhat-00001
JBEAP-23753 - (7.4.z) Upgrade HAL from 3.3.13.Final-redhat-00001 to 3.3.14.Final-redhat-00001
JBEAP-23772 - GSS Upgrade Mojarra from 2.3.14.SP05-redhat-00001 to 2.3.14.SP06-redhat-00001
JBEAP-23794 - (7.4.z) Upgrade Elytron from 1.15.13.Final-redhat-00001 to 1.15.14.Final-redhat-00001
JBEAP-23802 - (7.4.z) Upgrade WildFly Core from 15.0.15.Final-redhat-00001 to 15.0.17.Final-redhat-00001
JBEAP-23803 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00042 to 2.16.0.redhat-00045
JBEAP-23805 - (7.4.z) Upgrade jboss-ejb-client from 4.0.44.Final-redhat-00001 to 4.0.45.Final-redhat-00001
JBEAP-23816 - (7.4.z) Upgrade RESTEasy from 3.15.3.Final-redhat-00001 to 3.15.4.Final-redhat-00001
JBEAP-23818 - GSS WFLY-16607 - Application deployment fails with EJB components in EAP 7.4 Update 5 and works fine with Update 1
JBEAP-23869 - GSS Upgrade JBoss VFS from 3.2.16.Final-redhat-00001 to 3.2.17.Final-redhat-00001
JBEAP-23881 - GSS Upgrade Hibernate ORM from 5.3.27.Final-redhat-00001 to 5.3.28.Final-redhat-00001
JBEAP-23912 - (7.4.z) Upgrade WildFly Core from 15.0.17.Final-redhat-00001 to 15.0.18.Final-redhat-00001

  1. Package List:

Red Hat JBoss EAP 7.4 for RHEL 9:

Source:
eap7-activemq-artemis-2.16.0-10.redhat_00045.1.el9eap.src.rpm
eap7-glassfish-jsf-2.3.14-5.SP06_redhat_00001.1.el9eap.src.rpm
eap7-hal-console-3.3.14-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-hibernate-5.3.28-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-ironjacamar-1.5.3-3.SP2_redhat_00001.1.el9eap.src.rpm
eap7-jboss-ejb-client-4.0.45-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-jboss-server-migration-1.10.0-20.Final_redhat_00019.1.el9eap.src.rpm
eap7-jboss-vfs-3.2.17-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-netty-4.1.77-3.Final_redhat_00001.1.el9eap.src.rpm
eap7-netty-tcnative-2.0.52-3.Final_redhat_00001.1.el9eap.src.rpm
eap7-netty-transport-native-epoll-4.1.77-3.Final_redhat_00001.1.el9eap.src.rpm
eap7-resteasy-3.15.4-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-snakeyaml-1.31.0-1.redhat_00001.1.el9eap.src.rpm
eap7-undertow-2.2.19-1.SP2_redhat_00001.1.el9eap.src.rpm
eap7-undertow-jastow-2.0.11-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-wildfly-7.4.7-3.GA_redhat_00003.1.el9eap.src.rpm
eap7-wildfly-elytron-1.15.14-1.Final_redhat_00001.1.el9eap.src.rpm
eap7-wildfly-http-client-1.1.13-1.SP1_redhat_00001.1.el9eap.src.rpm

noarch:
eap7-activemq-artemis-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-cli-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-commons-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-core-client-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-dto-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-hornetq-protocol-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-hqclient-protocol-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-jdbc-store-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-jms-client-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-jms-server-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-journal-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-ra-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-selector-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-server-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-service-extensions-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-activemq-artemis-tools-2.16.0-10.redhat_00045.1.el9eap.noarch.rpm
eap7-glassfish-jsf-2.3.14-5.SP06_redhat_00001.1.el9eap.noarch.rpm
eap7-hal-console-3.3.14-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-hibernate-5.3.28-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-hibernate-core-5.3.28-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-hibernate-envers-5.3.28-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-common-api-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-common-impl-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-common-spi-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-core-api-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-core-impl-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-jdbc-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-ironjacamar-validator-1.5.3-3.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-jboss-ejb-client-4.0.45-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-jboss-server-migration-1.10.0-20.Final_redhat_00019.1.el9eap.noarch.rpm
eap7-jboss-server-migration-cli-1.10.0-20.Final_redhat_00019.1.el9eap.noarch.rpm
eap7-jboss-server-migration-core-1.10.0-20.Final_redhat_00019.1.el9eap.noarch.rpm
eap7-jboss-vfs-3.2.17-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-buffer-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-dns-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-haproxy-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-http-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-http2-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-memcache-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-mqtt-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-redis-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-smtp-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-socks-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-stomp-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-codec-xml-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-common-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-handler-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-handler-proxy-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-resolver-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-resolver-dns-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-resolver-dns-classes-macos-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-tcnative-2.0.52-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-classes-epoll-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-classes-kqueue-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-native-unix-common-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-rxtx-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-sctp-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-netty-transport-udt-4.1.77-3.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-atom-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-cdi-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-client-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-crypto-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jackson-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jackson2-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jaxb-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jaxrs-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jettison-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jose-jwt-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-jsapi-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-json-binding-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-json-p-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-multipart-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-rxjava2-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-spring-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-validator-provider-11-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-resteasy-yaml-provider-3.15.4-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-snakeyaml-1.31.0-1.redhat_00001.1.el9eap.noarch.rpm
eap7-undertow-2.2.19-1.SP2_redhat_00001.1.el9eap.noarch.rpm
eap7-undertow-jastow-2.0.11-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-7.4.7-3.GA_redhat_00003.1.el9eap.noarch.rpm
eap7-wildfly-elytron-1.15.14-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-elytron-tool-1.15.14-1.Final_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-http-client-common-1.1.13-1.SP1_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.1.13-1.SP1_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-http-naming-client-1.1.13-1.SP1_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.1.13-1.SP1_redhat_00001.1.el9eap.noarch.rpm
eap7-wildfly-javadocs-7.4.7-3.GA_redhat_00003.1.el9eap.noarch.rpm
eap7-wildfly-modules-7.4.7-3.GA_redhat_00003.1.el9eap.noarch.rpm

x86_64:
eap7-netty-transport-native-epoll-4.1.77-3.Final_redhat_00001.1.el9eap.x86_64.rpm
eap7-netty-transport-native-epoll-debuginfo-4.1.77-3.Final_redhat_00001.1.el9eap.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-1259
https://access.redhat.com/security/cve/CVE-2022-2053
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYz3viNzjgjWX9erEAQhpeA//TXopl5LnJNv8I+ukJlYHj7oUfpH7H/5v
pq6njuqCDJfXmOdtmzTsr1bPe+d9rIA6GFK2sCHg5BB87m5FhKZj6eeBjsGRzS6h
ag6vr4MgolKbX0NO7yD1QfukmHlHhA+4HX1xulpNme34EPHjCkYd4DE8aqpDWM6/
XMoiPzw1iZyNJ1qtG360dkDPfbEnw5Ci0wE8KBgTegAROtcpi9xqwfljzKn+uXfm
ZU4j2a9inRhTcC8j1dkK9aBZjKUgoeAjDsJ9MuTXVwo7xErQAOFNZqcVDl6fJxqE
uazGC/b7W1lBG7tB+8jRXcrlTPZcrCKdqRTrb0m5o7ORwtXVWl303+HACCJASwYL
mMKEEp18vzBVC5wAQwtt+PR3nadN9J3DJcFbtkj+lT30C7UTdvapgTdEO9s6nFHj
lbmRolzM0rTUxolSc0jflaP+D72s9JCdn73HFaXYvH6HSGCkAQ43wsL4xki5jFcz
FNRbLCzkGbHxbakMpJVJDCD7oUW8unImGc2kHfX4YdUK1hU4rAepuHMeHXT4jHNl
z6/TOWrkOyWp2NYV87Qq+HXAHZtJeCbBKY+S0iB8EFdUpVZ0kFOptELfZVyJMznZ
Qp4f2n2Pw1njNOycMt8GmVFV4Ay4DIqzCbS6/mRmSO/rkXHvcn79Y981ENzGlq6I
Zpj2tIxl/PM=
=130I
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Red Hat Security Advisory 2024-0777-03

Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.

Red Hat Security Advisory 2024-0776-03

Red Hat Security Advisory 2024-0776-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

RHSA-2023:4983: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-30129: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 * CVE-2022-3171: A parsing issue with binary data in protobuf-java core and...

CVE-2023-28955: Security Bulletin: Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.

Red Hat Security Advisory 2023-3641-01

Red Hat Security Advisory 2023-3641-01 - This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. Issues addressed include denial of service, deserialization, resource exhaustion, and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-3198-01

Red Hat Security Advisory 2023-3198-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, information leakage, and insecure permissions vulnerabilities.

Red Hat Security Advisory 2023-2097-03

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Ubuntu Security Notice USN-5944-1

Ubuntu Security Notice 5944-1 - It was discovered that SnakeYAML did not limit the maximal nested depth for collections when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service. It was discovered that SnakeYAML did not limit the maximal data matched with regular expressions when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service.

Red Hat Security Advisory 2023-1047-01

Red Hat Security Advisory 2023-1047-01 - A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

Red Hat Security Advisory 2023-1049-01

Red Hat Security Advisory 2023-1049-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, open redirection, server-side request forgery, and traversal vulnerabilities.

Red Hat Security Advisory 2023-1044-01

Red Hat Security Advisory 2023-1044-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1049: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1047: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update

A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jque...

Red Hat Security Advisory 2023-0777-01

Red Hat Security Advisory 2023-0777-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.

RHSA-2023:0560: Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update

Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the ...

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

RHSA-2022:8761: Red Hat Security Advisory: Red Hat support for Spring Boot 2.7.2 update

An update is now available for Red Hat OpenShift Application Runtimes.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-5404: reactor-netty: specific redirect configuration allows for a credentials leak * CVE-2021-4178: kubernetes-client: Insecure deserialization in unmarshalYaml method * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-1319: undertow: Double AJP response for 400 from EAP 7 results in CPING failures * CVE-2022-22950: spring-expression: Denial of service via specially crafted SpEL expression

Red Hat Security Advisory 2022-8876-01

Red Hat Security Advisory 2022-8876-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.10.2 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-8652-01

Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

RHSA-2022:8652: Red Hat Security Advisory: Red Hat Fuse 7.11.1 release and security update

A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute * CVE-2021-3717: wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users * CVE-2021-31684: json-smart: Denial of Service in...

Red Hat Security Advisory 2022-8524-01

Red Hat Security Advisory 2022-8524-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3]. Issues addressed include cross site scripting and denial of service vulnerabilities.

CVE-2022-21587: Oracle Critical Patch Update Advisory - October 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Red Hat Security Advisory 2022-6941-01

Red Hat Security Advisory 2022-6941-01 - This release of Red Hat build of Quarkus 2.7.6.SP1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include a denial of service vulnerability.

RHSA-2022:6941: Red Hat Security Advisory: Red Hat build of Quarkus Platform 2.7.6.SP1 and security update

An update is now available for the Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections

Red Hat Security Advisory 2022-6835-01

Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.

Red Hat Security Advisory 2022-6820-01

Red Hat Security Advisory 2022-6820-01 - Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that can be configured to scrape and expose MBeans of a JMX target. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6757-01

Red Hat Security Advisory 2022-6757-01 - This release of Red Hat build of Eclipse Vert.x 4.3.3 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6821-01

Red Hat Security Advisory 2022-6821-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6821-01

Red Hat Security Advisory 2022-6821-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6821-01

Red Hat Security Advisory 2022-6821-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6821-01

Red Hat Security Advisory 2022-6821-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6822-01

Red Hat Security Advisory 2022-6822-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6825-01

Red Hat Security Advisory 2022-6825-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

RHSA-2022:6835: Red Hat Security Advisory: Service Registry (container images) release and security update [2.3.0.GA]

An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: net...

RHSA-2022:6820: Red Hat Security Advisory: prometheus-jmx-exporter security update

An update for prometheus-jmx-exporter is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections

RHSA-2022:6825: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.7 Security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections

RHSA-2022:6825: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.7 Security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections

RHSA-2022:6825: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.7 Security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections

RHSA-2022:6825: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.7 Security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections

RHSA-2022:6757: Red Hat Security Advisory: Red Hat build of Eclipse Vert.x 4.3.3 security update

An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-37734: graphql-java: DoS by malicious query * CVE-2022-38749: snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode * CVE-2022-38750: snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructo...

Red Hat Security Advisory 2022-6407-01

Red Hat Security Advisory 2022-6407-01 - A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Issues addressed include denial of service, information leakage, integer overflow, and resource exhaustion vulnerabilities.

RHSA-2022:6407: Red Hat Security Advisory: Red Hat Integration Camel-K 1.8 security update

A minor version update is now available for Red Hat Integration Camel K. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-9492: hadoop: WebHDFS client might send SPNEGO authorization header * CVE-2020-27223: jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS * CVE-2020-36518: jackson-databind: denial of service ...

CVE-2022-1259: Invalid Bug ID

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

GHSA-3mc7-4q67-w48m: Uncontrolled Resource Consumption in snakeyaml

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

CVE-2022-25857: snakeyaml / snakeyaml - fc30078

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

CVE-2022-2053: Large AJP request may cause DoS

When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of ...

Red Hat Security Advisory 2022-5532-01

Red Hat Security Advisory 2022-5532-01 - This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.

Red Hat Security Advisory 2022-5532-01

Red Hat Security Advisory 2022-5532-01 - This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.

RHSA-2022:5532: Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update

A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7020: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure * CVE-2020-9484: tomcat: deserialization flaw in session persistence storage leading to RCE * CVE-2020-15250: ju...

RHSA-2022:5532: Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update

A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7020: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure * CVE-2020-9484: tomcat: deserialization flaw in session persistence storage leading to RCE * CVE-2020-15250: ju...

GHSA-rf6q-vx79-mjxr: Uncontrolled Resource Consumption in Undertow

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.

CVE-2021-3629: Invalid Bug ID

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution