Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:6392: Red Hat Security Advisory: RHV RHEL Host (ovirt-host) [ovirt-4.5.2] security update

Updated host packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#java#kubernetes#aws#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-09-08

Updated:

2022-09-08

RHSA-2022:6392 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: RHV RHEL Host (ovirt-host) [ovirt-4.5.2] security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated host packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-host package consolidates host package requirements into a single meta package.

Security Fix(es):

  • moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • The hosted-engine-ha binaries have been moved from /usr/share to /usr/libexec. As a result, the hosted-engine --clean-metadata command fails. With this release, you must use the new path for the command to succeed: /usr/libexec/ovirt-hosted-engine-ha/ovirt-ha-agent (BZ#2105781)
  • A new warning has been added to the vdsm-tool to protect users from using the unsupported user_friendly_names multipath configuration. The following is an example of the output:

$ vdsm-tool is-configured --module multipath
WARNING: Invalid configuration: ‘user_friendly_names’ is enabled in multipath configuration:
section1 {
key1 value1
user_friendly_names yes
key2 value2
}
section2 {
user_friendly_names yes
}
This configuration is not supported and may lead to storage domain corruption. (BZ#1793207)

Affected Products

  • Red Hat Virtualization 4 for RHEL 8 x86_64
  • Red Hat Virtualization Host 4 for RHEL 8 x86_64
  • Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le

Fixes

  • BZ - 1793207 - [RFE] Notify if multipath User Friendly Names are used
  • BZ - 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
  • BZ - 2105781 - hosted-engine --clean-metadata fails because ovirt-ha-agent has changed location
  • BZ - 2117558 - hosted-engine deploy failed since “Failed to configure OVN controller”

Red Hat Virtualization 4 for RHEL 8

SRPM

cockpit-ovirt-0.16.2-1.el8ev.src.rpm

SHA-256: fe440e157b26284eae73b4f6e0c1574f45dc931aff3f798dd717e52b75520cf3

mom-0.6.3-1.el8ev.src.rpm

SHA-256: 1362f857e8589b157d6d5c9d0debc76def6091462a59554352e2237f4598f816

ovirt-host-4.5.0-3.1.el8ev.src.rpm

SHA-256: c1a85fcd437b123d30b7ce906e63915d6905681543f6d5f21204c042e1f079b4

ovirt-hosted-engine-setup-2.6.5-1.1.el8ev.src.rpm

SHA-256: e2d34f4a88a5dd9453680a903be2394cb717807eb3d42a8f0df6317b35a0e481

vdsm-4.50.2.2-1.el8ev.src.rpm

SHA-256: 469668e6200ce97132da192378745e3d7ebf1da0fe6bbc326ba438fc6de1ee25

x86_64

cockpit-ovirt-dashboard-0.16.2-1.el8ev.noarch.rpm

SHA-256: bd7b3a2dee37adc3da6d783a6c0610442100b3d52033025f19d423bf6bc8ae15

mom-0.6.3-1.el8ev.noarch.rpm

SHA-256: f3585b75cb356104a9a4a81077ac7f8ad7d6d77ec2a909c20c21b2849ca4448c

ovirt-host-4.5.0-3.1.el8ev.x86_64.rpm

SHA-256: 415a5aaa1389d2318e0ea152e60c707da27ad21335b30bf3c0306a32a6a0f3f6

ovirt-host-dependencies-4.5.0-3.1.el8ev.x86_64.rpm

SHA-256: 902fc3353dd6fdec293b005ba9a85d0453bb78c6dd09b0b041872891f45e9752

ovirt-hosted-engine-setup-2.6.5-1.1.el8ev.noarch.rpm

SHA-256: 795739a3a287579b8af7bccd6e6e9bf00c4cf24adc1bd8bf4886cc202aae208b

vdsm-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: e708c83930290d3de839f90b821cba4d393e33044bdaf4ce0cae0462f152dd5a

vdsm-api-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: c1a81830278175f913599ba77a693f34f1939b57a7e633203b55f593cd9ec7ed

vdsm-client-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 4757d4c560194b624586d23c89e2de98a70b8f6a7dae7c51dbd268a29e7bb9ef

vdsm-common-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: a57e322e6f5ffeb4c9900becd9afe699471eba2a475b7f42a8f599794953cc4a

vdsm-gluster-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: c5c4eab3c810df6a7b744d14ff56c07e64cd766f7718bd74ad8d185e17b7615b

vdsm-hook-checkips-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: 19bcfbdd7626f0ac9bd15c44bfeae0fcee473e1ac3d6281dab70c7f55b38830d

vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: c6e1aa2ae0bd9036c3b0e1b92e8044f356d3ee315edfd3e3dc5f7b02304cbdf6

vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 81dd5e96556f955dece1cb207ccdc7d74f8c76cac86b55af21ffb6effc1ecb7b

vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: 387f232ea3094381889728a7e12d399981b84bdda018e33c15c1200d08066852

vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 459a41b79d9e77381129c1398084c116384f0481ca2ae329a284d7bcc2aa1e9b

vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 89ce156f77060d1900d63f02c50845a2535e46decff2f5ed74b4a5d4f36e4901

vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 1b2fc07658fb9a90c4b1dba9648027d46626f193c663f0adce22bb581fefcda4

vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 63e2e25913c0adcea9cc15bc81cc8d0b5125f3d6c73049407870c89267351ea5

vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: a44c5a0219d74c37eab52937e6a0ee1ea8a5aeebe06f0eae00e9420e131b98fc

vdsm-http-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 5144123e0f993c3657f870b42c7a269b498edd942a8713d978b87f6a7751d4ce

vdsm-jsonrpc-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 17b246668e58e7ab6b5e541702d0509ff416c395220ee1bf7f6455cb14507b2a

vdsm-network-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: c6bab5e3b35747c5e59ee9fe32d85c6b942c27e9efb1490983f47f8045e23ae6

vdsm-python-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 2dfa5baaf345930a4d1786a5e2f7985c0172afeac9c9665f2b8bde42df899fe6

vdsm-yajsonrpc-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 660853c95db0c6e84be998df347147a33a8685c6c2cd2bc5573971c238618244

Red Hat Virtualization Host 4 for RHEL 8

SRPM

vdsm-4.50.2.2-1.el8ev.src.rpm

SHA-256: 469668e6200ce97132da192378745e3d7ebf1da0fe6bbc326ba438fc6de1ee25

x86_64

vdsm-hook-checkips-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: 19bcfbdd7626f0ac9bd15c44bfeae0fcee473e1ac3d6281dab70c7f55b38830d

vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: c6e1aa2ae0bd9036c3b0e1b92e8044f356d3ee315edfd3e3dc5f7b02304cbdf6

vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 81dd5e96556f955dece1cb207ccdc7d74f8c76cac86b55af21ffb6effc1ecb7b

vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.x86_64.rpm

SHA-256: 387f232ea3094381889728a7e12d399981b84bdda018e33c15c1200d08066852

vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 459a41b79d9e77381129c1398084c116384f0481ca2ae329a284d7bcc2aa1e9b

vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 89ce156f77060d1900d63f02c50845a2535e46decff2f5ed74b4a5d4f36e4901

vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 1b2fc07658fb9a90c4b1dba9648027d46626f193c663f0adce22bb581fefcda4

vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 63e2e25913c0adcea9cc15bc81cc8d0b5125f3d6c73049407870c89267351ea5

vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: a44c5a0219d74c37eab52937e6a0ee1ea8a5aeebe06f0eae00e9420e131b98fc

Red Hat Virtualization for IBM Power LE 4 for RHEL 8

SRPM

mom-0.6.3-1.el8ev.src.rpm

SHA-256: 1362f857e8589b157d6d5c9d0debc76def6091462a59554352e2237f4598f816

ovirt-host-4.5.0-3.1.el8ev.src.rpm

SHA-256: c1a85fcd437b123d30b7ce906e63915d6905681543f6d5f21204c042e1f079b4

vdsm-4.50.2.2-1.el8ev.src.rpm

SHA-256: 469668e6200ce97132da192378745e3d7ebf1da0fe6bbc326ba438fc6de1ee25

ppc64le

mom-0.6.3-1.el8ev.noarch.rpm

SHA-256: f3585b75cb356104a9a4a81077ac7f8ad7d6d77ec2a909c20c21b2849ca4448c

ovirt-host-4.5.0-3.1.el8ev.ppc64le.rpm

SHA-256: 484633230e244d1b854df818fdc2e8a56d723e499e186a15f22c8ce1ad523115

ovirt-host-dependencies-4.5.0-3.1.el8ev.ppc64le.rpm

SHA-256: df1ab3eaa07c24b74161f89a1cc70809ea034f1b4e455a3ad5b4b75b485c7c15

vdsm-4.50.2.2-1.el8ev.ppc64le.rpm

SHA-256: 26588931e6b177fe58e1b22a6d8403846fdf68900b2798991233dc6ec8ec65bf

vdsm-api-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: c1a81830278175f913599ba77a693f34f1939b57a7e633203b55f593cd9ec7ed

vdsm-client-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 4757d4c560194b624586d23c89e2de98a70b8f6a7dae7c51dbd268a29e7bb9ef

vdsm-common-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: a57e322e6f5ffeb4c9900becd9afe699471eba2a475b7f42a8f599794953cc4a

vdsm-hook-checkips-4.50.2.2-1.el8ev.ppc64le.rpm

SHA-256: f6a124cb7444f33377a699394badf4fc7b834ecde5fabc8222f0051bd6e45222

vdsm-hook-cpuflags-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: c6e1aa2ae0bd9036c3b0e1b92e8044f356d3ee315edfd3e3dc5f7b02304cbdf6

vdsm-hook-ethtool-options-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 81dd5e96556f955dece1cb207ccdc7d74f8c76cac86b55af21ffb6effc1ecb7b

vdsm-hook-extra-ipv4-addrs-4.50.2.2-1.el8ev.ppc64le.rpm

SHA-256: 6834b98bfb4103216353cc2f466bb66495b59c7bb17343cf2db0e941d87ba14a

vdsm-hook-fcoe-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 459a41b79d9e77381129c1398084c116384f0481ca2ae329a284d7bcc2aa1e9b

vdsm-hook-localdisk-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 89ce156f77060d1900d63f02c50845a2535e46decff2f5ed74b4a5d4f36e4901

vdsm-hook-nestedvt-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 1b2fc07658fb9a90c4b1dba9648027d46626f193c663f0adce22bb581fefcda4

vdsm-hook-openstacknet-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 63e2e25913c0adcea9cc15bc81cc8d0b5125f3d6c73049407870c89267351ea5

vdsm-hook-vhostmd-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: a44c5a0219d74c37eab52937e6a0ee1ea8a5aeebe06f0eae00e9420e131b98fc

vdsm-http-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 5144123e0f993c3657f870b42c7a269b498edd942a8713d978b87f6a7751d4ce

vdsm-jsonrpc-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 17b246668e58e7ab6b5e541702d0509ff416c395220ee1bf7f6455cb14507b2a

vdsm-network-4.50.2.2-1.el8ev.ppc64le.rpm

SHA-256: fda7f0b4b72bf28419d5743f454f050f38cdd1cf4dc41afb0251b9e12168c943

vdsm-python-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 2dfa5baaf345930a4d1786a5e2f7985c0172afeac9c9665f2b8bde42df899fe6

vdsm-yajsonrpc-4.50.2.2-1.el8ev.noarch.rpm

SHA-256: 660853c95db0c6e84be998df347147a33a8685c6c2cd2bc5573971c238618244

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:3742: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...

RHSA-2023:3623: Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security and bug fix update

New packages for Red Hat Ceph Storage 6.1 are now available on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4231: A flaw was found in the angular/core package. Affected versions of this package are vulnerable to Cross-site scripting (XSS) in development, with Server-side rendering (SSR enabled). * CVE-2022-31129: A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constru...

Red Hat Security Advisory 2023-1047-01

Red Hat Security Advisory 2023-1047-01 - A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

Red Hat Security Advisory 2023-1044-01

Red Hat Security Advisory 2023-1044-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1043: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1049: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2022-8652-01

Red Hat Security Advisory 2022-8652-01 - This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, cross site scripting, denial of service, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2022-7313-01

Red Hat Security Advisory 2022-7313-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Issues addressed include denial of service and remote SQL injection vulnerabilities.

RHSA-2022:7276: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.4.8 security fixes and container updates

Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...

Red Hat Security Advisory 2022-7055-01

Red Hat Security Advisory 2022-7055-01 - An update is now available for Red Hat Openshift distributed tracing 2.6.0. Issues addressed include denial of service and traversal vulnerabilities.

RHSA-2022:7055: Red Hat Security Advisory: RHOSDT 2.6.0 operator/operand containers Security Update

An update is now available for Red Hat Openshift distributed tracing 2.6.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3918: nodejs-json-schema: Prototype pollution vulnerability * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-31129: moment: inefficient parsing algorithm resulting ...

RHSA-2022:6835: Red Hat Security Advisory: Service Registry (container images) release and security update [2.3.0.GA]

An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: net...

RHSA-2022:6813: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.1 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7746: chart.js: prototype pollution * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2021-23436: immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 * CVE-2021-44906: minimist: prototype pollution * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-202...

RHSA-2022:6422: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.2 security and bug fixes

Multicluster Engine for Kubernetes 2.0.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-36067: vm2: Sandbox Escape in vm2

Red Hat Security Advisory 2022-6392-01

Red Hat Security Advisory 2022-6392-01 - The ovirt-host package consolidates host package requirements into a single meta package. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6370-01

Red Hat Security Advisory 2022-6370-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix security issues and several bugs. Issues addressed include a denial of service vulnerability.

RHSA-2022:6370: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.6.0 General Availability release images, which fix security issues and bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_a...

Red Hat Security Advisory 2022-6277-01

Red Hat Security Advisory 2022-6277-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2022-6272-01

Red Hat Security Advisory 2022-6272-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2022-6271-01

Red Hat Security Advisory 2022-6271-01 - This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.

RHSA-2022:6277: Red Hat Security Advisory: Red Hat OpenShift Service Mesh 2.1.5 security update

Red Hat OpenShift Service Mesh 2.1.5 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group * CVE-2022-30629: golang: crypto/tls: session t...

Red Hat Security Advisory 2022-5915-01

Red Hat Security Advisory 2022-5915-01 - Red Hat Kiali for OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers containers for the release. Issues addressed include a denial of service vulnerability.

RHSA-2022:5915: Red Hat Security Advisory: Red Hat Kiali for OpenShift Service Mesh 2.2 security update

Red Hat Kiali for OpenShift Service Mesh 2.2 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS

RHSA-2022:5913: Red Hat Security Advisory: Red Hat Kiali for OpenShift Service Mesh 2.0 security update

An update for openshift-istio-kiali-rhel8-container is now available for OpenShift Service Mesh 2.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS

GHSA-wc69-rhjr-hc9g: Inefficient Regular Expression Complexity in moment

### Impact * using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs * noticeable slowdown is observed with inputs above 10k characters * users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks ### Patches The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. ### Workarounds In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities. ### References There is an excellent writeup of the issue here: https://github.com/mo...