Headline
Red Hat Security Advisory 2022-6821-01
Red Hat Security Advisory 2022-6821-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.7 Security update
Advisory ID: RHSA-2022:6821-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6821
Issue date: 2022-10-05
CVE Names: CVE-2022-1259 CVE-2022-2053 CVE-2022-25857
=====================================================================
- Summary:
A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime. This release of Red
Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for
Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes
and enhancements. See the Red Hat JBoss Enterprise Application Platform
7.4.7 Release Notes for information about the most significant bug fixes
and enhancements included in this release.
Security Fix(es):
undertow: Large AJP request may cause DoS (CVE-2022-2053)
undertow: potential security issue in flow control over HTTP/2 may lead
to DOS. Incomplete fix for CVE-2021-3629 (CVE-2022-1259)snakeyaml: Denial of Service due missing to nested depth limitation for
collections. (CVE-2022-25857)
- Solution:
Before applying this update, ensure all previously released errata relevant
to your system have been applied. For details about how to apply this
update, see: https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
2095862 - CVE-2022-2053 undertow: Large AJP request may cause DoS
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-23618 - Tracker bug for the EAP 7.4.7 release for RHEL-7
JBEAP-23687 - GSS Upgrade Ironjacamar from 1.5.3.SP1-redhat-00001 to 1.5.3.SP2-redhat-00001
JBEAP-23738 - (7.4.z) Upgrade jastow from 2.0.9.Final-redhat-00001 to 2.0.11.Final-redhat-00001
JBEAP-23741 - GSS Upgrade Undertow from 2.2.18.SP2-redhat-00001 to 2.2.19.SP2-redhat-00001
JBEAP-23753 - (7.4.z) Upgrade HAL from 3.3.13.Final-redhat-00001 to 3.3.14.Final-redhat-00001
JBEAP-23772 - GSS Upgrade Mojarra from 2.3.14.SP05-redhat-00001 to 2.3.14.SP06-redhat-00001
JBEAP-23794 - (7.4.z) Upgrade Elytron from 1.15.13.Final-redhat-00001 to 1.15.14.Final-redhat-00001
JBEAP-23802 - (7.4.z) Upgrade WildFly Core from 15.0.15.Final-redhat-00001 to 15.0.17.Final-redhat-00001
JBEAP-23803 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00042 to 2.16.0.redhat-00045
JBEAP-23805 - (7.4.z) Upgrade jboss-ejb-client from 4.0.44.Final-redhat-00001 to 4.0.45.Final-redhat-00001
JBEAP-23816 - (7.4.z) Upgrade RESTEasy from 3.15.3.Final-redhat-00001 to 3.15.4.Final-redhat-00001
JBEAP-23818 - GSS WFLY-16607 - Application deployment fails with EJB components in EAP 7.4 Update 5 and works fine with Update 1
JBEAP-23869 - GSS Upgrade JBoss VFS from 3.2.16.Final-redhat-00001 to 3.2.17.Final-redhat-00001
JBEAP-23881 - GSS Upgrade Hibernate ORM from 5.3.27.Final-redhat-00001 to 5.3.28.Final-redhat-00001
JBEAP-23912 - (7.4.z) Upgrade WildFly Core from 15.0.17.Final-redhat-00001 to 15.0.18.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.4 for RHEL 7 Server:
Source:
eap7-activemq-artemis-2.16.0-10.redhat_00045.1.el7eap.src.rpm
eap7-glassfish-jsf-2.3.14-5.SP06_redhat_00001.1.el7eap.src.rpm
eap7-hal-console-3.3.14-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-hibernate-5.3.28-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-ironjacamar-1.5.3-3.SP2_redhat_00001.1.el7eap.src.rpm
eap7-jboss-ejb-client-4.0.45-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-jboss-server-migration-1.10.0-20.Final_redhat_00019.1.el7eap.src.rpm
eap7-jboss-vfs-3.2.17-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-netty-4.1.77-3.Final_redhat_00001.1.el7eap.src.rpm
eap7-netty-tcnative-2.0.52-3.Final_redhat_00001.1.el7eap.src.rpm
eap7-netty-transport-native-epoll-4.1.77-3.Final_redhat_00001.1.el7eap.src.rpm
eap7-resteasy-3.15.4-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-snakeyaml-1.31.0-1.redhat_00001.1.el7eap.src.rpm
eap7-undertow-2.2.19-1.SP2_redhat_00001.1.el7eap.src.rpm
eap7-undertow-jastow-2.0.11-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-7.4.7-3.GA_redhat_00003.1.el7eap.src.rpm
eap7-wildfly-elytron-1.15.14-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-http-client-1.1.13-1.SP1_redhat_00001.1.el7eap.src.rpm
noarch:
eap7-activemq-artemis-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-cli-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-commons-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-core-client-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-dto-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-hornetq-protocol-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-hqclient-protocol-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-jdbc-store-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-jms-client-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-jms-server-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-journal-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-ra-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-selector-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-server-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-service-extensions-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-activemq-artemis-tools-2.16.0-10.redhat_00045.1.el7eap.noarch.rpm
eap7-glassfish-jsf-2.3.14-5.SP06_redhat_00001.1.el7eap.noarch.rpm
eap7-hal-console-3.3.14-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-5.3.28-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-core-5.3.28-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-entitymanager-5.3.28-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-envers-5.3.28-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-java8-5.3.28-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-api-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-impl-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-spi-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-core-api-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-core-impl-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-jdbc-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-validator-1.5.3-3.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-ejb-client-4.0.45-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-server-migration-1.10.0-20.Final_redhat_00019.1.el7eap.noarch.rpm
eap7-jboss-server-migration-cli-1.10.0-20.Final_redhat_00019.1.el7eap.noarch.rpm
eap7-jboss-server-migration-core-1.10.0-20.Final_redhat_00019.1.el7eap.noarch.rpm
eap7-jboss-vfs-3.2.17-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-all-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-buffer-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-dns-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-haproxy-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-http-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-http2-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-memcache-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-mqtt-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-redis-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-smtp-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-socks-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-stomp-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-codec-xml-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-common-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-handler-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-handler-proxy-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-resolver-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-resolver-dns-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-resolver-dns-classes-macos-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-tcnative-2.0.52-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-classes-epoll-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-classes-kqueue-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-native-unix-common-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-rxtx-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-sctp-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-transport-udt-4.1.77-3.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-atom-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-cdi-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-client-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-crypto-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jackson-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jackson2-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jaxb-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jaxrs-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jettison-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jose-jwt-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-jsapi-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-json-binding-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-json-p-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-multipart-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-rxjava2-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-spring-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-validator-provider-11-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-resteasy-yaml-provider-3.15.4-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-snakeyaml-1.31.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-undertow-2.2.19-1.SP2_redhat_00001.1.el7eap.noarch.rpm
eap7-undertow-jastow-2.0.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-7.4.7-3.GA_redhat_00003.1.el7eap.noarch.rpm
eap7-wildfly-elytron-1.15.14-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-elytron-tool-1.15.14-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-client-common-1.1.13-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.1.13-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-naming-client-1.1.13-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.1.13-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk11-7.4.7-3.GA_redhat_00003.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk8-7.4.7-3.GA_redhat_00003.1.el7eap.noarch.rpm
eap7-wildfly-javadocs-7.4.7-3.GA_redhat_00003.1.el7eap.noarch.rpm
eap7-wildfly-modules-7.4.7-3.GA_redhat_00003.1.el7eap.noarch.rpm
x86_64:
eap7-netty-transport-native-epoll-4.1.77-3.Final_redhat_00001.1.el7eap.x86_64.rpm
eap7-netty-transport-native-epoll-debuginfo-4.1.77-3.Final_redhat_00001.1.el7eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-1259
https://access.redhat.com/security/cve/CVE-2022-2053
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYz3vktzjgjWX9erEAQgvNQ//RUh4+WGNUN6p8Rm+/FdBq9wHIHnGArNu
9pCaFNRygqw5PeP+vCb1a3gXhaDwh1IynkMYDNRP0J40OVI4E6wUjsTQUNB2Z4K8
PAMPBdQ1AClqPq3z/8ApThtJFHzkLEfWc/4ulF7fcMVObkJpu+2gviizUQkvLvpk
6x1nFec7tKtpsfXwOyt8DgNrGz8GTpOrELHA9+JDunE7YcsFaI7ZiholZswrcor2
o8ZFzu6+fMXaTl99POh9oygwwZyaUSeivGazMwzvdr8vqnHbUu/T9YiRSR4iPsWd
0uzcuLY8w596nKvWCCBPGcOvYFVoq0AqsYw3zA+cIKh/h7VDcZDe0FAPOGVOVAVU
lA/d/SSOG7eJqZuNZ/bJPXbSpx540IScmw4SpN8gMa1hwbg98RHr8a/piPPnDlIy
11bKNCc/++CCNZbWF9ajESzDCbiQg8HDTX2v0y1Fe4SdstzewcVAhiAYserBv+9w
DUj7E7lJgfaWpjXe051gqC/qm6bCzK9mKFQFsoU65zK57+snX0KAMvdGG2JhMMF4
D8L7yBP/g09v9REJw74sAs/IFCp0t8eddZF5ig9lxQd9exx5wTgcQ+gSIN5zgg83
mbVG3oMybYNxS6f3eqXCd+bVofOlDK3CDsx3acEKCU8R6DsYzJ5OFALio6LFiFHo
3ekpF6MFU3E=
=11j2
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Red Hat Security Advisory 2023-7697-03 - An update is now available for Red Hat AMQ Clients. Issues addressed include code execution, denial of service, deserialization, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.
A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections. * CVE-2022-38749: A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remot...
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26291: A flaw was found in maven. Repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that r...
Red Hat Security Advisory 2023-2100-01 - This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass, code execution, cross site scripting, denial of service, man-in-the-middle, memory exhaustion, resource exhaustion, and traversal vulnerabilities.
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37533: A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about service...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Ubuntu Security Notice 5944-1 - It was discovered that SnakeYAML did not limit the maximal nested depth for collections when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service. It was discovered that SnakeYAML did not limit the maximal data matched with regular expressions when parsing YAML data. If a user or automated system were tricked into opening a specially crafted YAML file, an attacker could possibly use this issue to cause applications using SnakeYAML to crash, resulting in a denial of service.
Red Hat Security Advisory 2023-1045-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.
Red Hat Security Advisory 2023-1043-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.
A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...
A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jque...
Red Hat Security Advisory 2023-0777-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.
Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3064: A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the ...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
An update is now available for Red Hat OpenShift Application Runtimes.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-5404: reactor-netty: specific redirect configuration allows for a credentials leak * CVE-2021-4178: kubernetes-client: Insecure deserialization in unmarshalYaml method * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-1319: undertow: Double AJP response for 400 from EAP 7 results in CPING failures * CVE-2022-22950: spring-expression: Denial of service via specially crafted SpEL expression
Red Hat Security Advisory 2022-8876-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.10.2 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a denial of service vulnerability.
Red Hat AMQ Broker 7.10.2 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-38749: snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode * CVE-2022-38750: snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject * CVE-2022-38751: snakeyaml: Uncaugh...
Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-8331: bootstrap: XSS in the tooltip or popover data-template attribute * CVE-2021-3717: wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users * CVE-2021-31684: json-smart: Denial of Service in...
Red Hat Security Advisory 2022-8524-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3]. Issues addressed include cross site scripting and denial of service vulnerabilities.
An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-23647: prismjs: improperly escaped output allows a XSS * CVE-2022-24823: netty: world readable temporary file containing sensitive data * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-38749: snakeyaml: Uncaught exception...
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Red Hat Security Advisory 2022-6941-01 - This release of Red Hat build of Quarkus 2.7.6.SP1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include a denial of service vulnerability.
An update is now available for the Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.
Red Hat Security Advisory 2022-6820-01 - Prometheus JMX Exporter is a JMX to Prometheus exporter: a collector that can be configured to scrape and expose MBeans of a JMX target. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6757-01 - This release of Red Hat build of Eclipse Vert.x 4.3.3 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6823-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6822-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6825-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.
An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: net...
An update for prometheus-jmx-exporter is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1259: undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) * CVE-2022-2053: undertow: Large AJP request may cause DoS * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections
An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-37734: graphql-java: DoS by malicious query * CVE-2022-38749: snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode * CVE-2022-38750: snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructo...
Red Hat Security Advisory 2022-6407-01 - A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Issues addressed include denial of service, information leakage, integer overflow, and resource exhaustion vulnerabilities.
A minor version update is now available for Red Hat Integration Camel K. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-9492: hadoop: WebHDFS client might send SPNEGO authorization header * CVE-2020-27223: jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS * CVE-2020-36518: jackson-databind: denial of service ...
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in "All workers are in error state" and mod_cluster responds "503 Service Unavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the "retry" timeout passes. However, luckily, mod_proxy_balancer has "forcerecovery" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of ...
Red Hat Security Advisory 2022-5532-01 - This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.
Red Hat Security Advisory 2022-5532-01 - This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7020: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure * CVE-2020-9484: tomcat: deserialization flaw in session persistence storage leading to RCE * CVE-2020-15250: ju...
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7020: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure * CVE-2020-9484: tomcat: deserialization flaw in session persistence storage leading to RCE * CVE-2020-15250: ju...
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.