Headline
Red Hat Security Advisory 2024-1027-03
Red Hat Security Advisory 2024-1027-03 - An update is now available for MTA-6.2-RHEL-8 and MTA-6.2-RHEL-9. Issues addressed include XML injection and denial of service vulnerabilities.
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1027.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Migration Toolkit for Applications security update
Advisory ID: RHSA-2024:1027-03
Product: Migration Toolkit for Applications
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1027
Issue date: 2024-02-28
Revision: 03
CVE Names: CVE-2022-1962
====================================================================
Summary:
An update is now available for MTA-6.2-RHEL-8 and MTA-6.2-RHEL-9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description:
Migration Toolkit for Applications
Security Fix(es):
golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
jettison: If the value in map is the map’s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
guava: insecure temporary directory creation (CVE-2023-2976)
follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution:
https://access.redhat.com/articles/11258
CVEs:
CVE-2022-1962
References:
https://access.redhat.com/security/updates/classification/#moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2107376
https://bugzilla.redhat.com/show_bug.cgi?id=2155970
https://bugzilla.redhat.com/show_bug.cgi?id=2182788
https://bugzilla.redhat.com/show_bug.cgi?id=2215214
https://bugzilla.redhat.com/show_bug.cgi?id=2215229
https://bugzilla.redhat.com/show_bug.cgi?id=2222167
https://bugzilla.redhat.com/show_bug.cgi?id=2228743
https://bugzilla.redhat.com/show_bug.cgi?id=2233112
https://bugzilla.redhat.com/show_bug.cgi?id=2256413
https://issues.redhat.com/browse/MTA-87
Related news
Red Hat Security Advisory 2024-6893-03 - Red Hat AMQ Broker 7.12.0 is now available from the Red Hat Customer Portal. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0998-03 - Red Hat OpenShift distributed tracing 3.1.0.
Red Hat Security Advisory 2024-0853-03 - Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent.
Red Hat Security Advisory 2024-0804-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0800-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0799-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0720-03 - Migration Toolkit for Runtimes 1.2.4 release. Issues addressed include an XML injection vulnerability.
Red Hat Security Advisory 2024-0719-03 - Migration Toolkit for Runtimes 1.2.4 release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0293-03 - Red Hat OpenShift Container Platform release 4.14.10 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-0293-03 - Red Hat OpenShift Container Platform release 4.14.10 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2024-0292-03 - Red Hat build of MicroShift release 4.14.10 is now available with updates to packages and images that fix several bugs.
Red Hat Security Advisory 2024-0271-03 - There is a moderate update for the the Logging Subsystem 5.8.2. Red Hat OpenShift security update.
Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.
Red Hat Security Advisory 2023-7639-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7638-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Gentoo Linux Security Advisory 202311-9 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to remote code execution. Versions greater than or equal to 1.20.10 are affected.
Red Hat Security Advisory 2023-7202-01 - An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8.
Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6085-01 - An update is now available for Red Hat Openshift distributed tracing 2.9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6085-01 - An update is now available for Red Hat Openshift distributed tracing 2.9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5976-01 - An update is now available for Service Telemetry Framework 1.5.2. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5974-01 - An update for network-observability-console-plugin-container, network-observability-ebpf-agent-container, network-observability-flowlogs-pipeline-container, network-observability-operator-bundle-container, and network-observability-operator-container is now available for NETWORK-OBSERVABILITY-1.4.0-RHEL-9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5974-01 - An update for network-observability-console-plugin-container, network-observability-ebpf-agent-container, network-observability-flowlogs-pipeline-container, network-observability-operator-bundle-container, and network-observability-operator-container is now available for NETWORK-OBSERVABILITY-1.4.0-RHEL-9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5969-01 - An update for collectd-libpod-stats, etcd, and python-octavia-tests-tempest is now available for Red Hat OpenStack Platform 17.1.1. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5965-01 - An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5935-01 - An update for osp-director-agent-container, osp-director-downloader-container, osp-director-operator-bundle-container, and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5935-01 - An update for osp-director-agent-container, osp-director-downloader-container, osp-director-operator-bundle-container, and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5805-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 254138
Red Hat Security Advisory 2023-5491-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.11.2 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Red Hat Security Advisory 2023-5396-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Issues addressed include a denial of service vulnerability.
An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45047: A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server. * CVE-2023-3628: A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the...
Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload.
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.
Jenkins TAP Plugin 2.3 and earlier does not escape TAP file contents, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control TAP file contents.
Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.
Red Hat Security Advisory 2023-4919-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.5 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4918-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.5 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-4924-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.5 serves as a replacement for Red Hat Single Sign-On 7.6.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a denial of service vulnerability.
New Red Hat Single Sign-On 7.6.5 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2023-1436: A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray fr...
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. User...
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. User...
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45787: A flaw was found in Apache James's Mime4j TempFileStorageProvider class, where it may set improper permissions when utilizing temporary files. This flaw allows a locally authorized attacker to access information outside their intended permissions. * CVE-2023-0481: In RestEasy Reactive implementation of Quarkus the insecure File.createTempFi...
Ubuntu Security Notice 6179-1 - It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-3667-01 - A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.
Red Hat Integration Camel Extensions for Quarkus 2.13.3 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37533: A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious se...
Ubuntu Security Notice 6177-1 - It was discovered that Jettison incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
Red Hat Security Advisory 2023-0553-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0552-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0554-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0556-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0544-01 - This patch, Camel for Spring Boot 3.14.5 Patch 1, serves as a replacement for the previous release of Camel for Spring Boot 3.14.5 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. This release of Camel for Spring Boot includes CXF artifacts that were missing from the previous 3.14.5 release. Issues addressed include a server-side request forgery vulnerability.
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9251: jquery: Cross-site scripting via cross-domain ajax requests * CVE-2016-10735: bootstrap: XSS in the data-target attribute * CVE-2017-18214: nodejs-moment: Regular expression denial of service * CVE-2018-14040: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute * CVE-2018-14041: bootstrap: Cross-site Scripting (...
A patch is now available for Camel for Spring Boot 3.14.5. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40149: jettison: parser crash by stackoverflow * CVE-2022-45693: jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos * CVE-2022-46363: Apache CXF: directory listing / code exfiltration * CVE...
Debian Linux Security Advisory 5312-1 - Several flaws have been discovered in libjettison-java, a collection of StAX parsers and writers for JSON. Specially crafted user input may cause a denial of service via out-of-memory or stack overflow errors.
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Red Hat Security Advisory 2022-7529-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include denial of service and memory exhaustion vulnerabilities.
OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...
Red Hat Security Advisory 2022-6370-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix security issues and several bugs. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2022-6345-01 - Multicluster engine for Kubernetes 2.1 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.6.0 General Availability release images, which fix security issues and bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_a...
Multicluster Engine v2.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in Glob * CVE-2022-30631: golang: compress/gzi...
Gatekeeper Operator v0.2 security updates Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in Glob * CVE-2022-30631: gol...
Submariner 0.13 packages that fix security issues and bugs, as well as adds various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions...
Red Hat OpenShift Service Mesh 2.2.2 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30630: golang: io/fs: stack exhaustion in Glob * CVE-2022-30632: golang: path/filepath: stack exhaustion in Glob * CVE-2022-30633: golang: encoding/xml: stack exhaustion in Unmarshal * CVE-2022-30635: golang: encoding/gob: stack...
Red Hat Security Advisory 2022-6188-01 - This is an updated release of the Node Maintenance Operator. The Node Maintenance Operator cordons off nodes from the rest of the cluster and drains all the pods from the nodes. By placing nodes under maintenance, administrators can proactively power down nodes, move workloads to other parts of the cluster, and ensure that workloads do not get interrupted.