Headline
RHSA-2022:8959: Red Hat Security Advisory: rh-maven36-bcel security update
An update for rh-maven36-bcel is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-12-13
Updated:
2022-12-13
RHSA-2022:8959 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: rh-maven36-bcel security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for rh-maven36-bcel is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class).
Security Fix(es):
- Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
- Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
- Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
- Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Fixes
- BZ - 2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7
SRPM
rh-maven36-bcel-6.3.1-2.3.el7.src.rpm
SHA-256: 1c5ebce67e1a43bef181dd77142e9e527e20a2a60a80e79dcb63d9efc23555ec
x86_64
rh-maven36-bcel-6.3.1-2.3.el7.noarch.rpm
SHA-256: 166d008ba910afae78ff980180781d9fefa1232f6b1a0bb3cd85a457ccdf02ab
rh-maven36-bcel-javadoc-6.3.1-2.3.el7.noarch.rpm
SHA-256: b3b34236b83122b399bd671aea7cbba1954894a3381c0d3fba5e55d5dcb66f72
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7
SRPM
rh-maven36-bcel-6.3.1-2.3.el7.src.rpm
SHA-256: 1c5ebce67e1a43bef181dd77142e9e527e20a2a60a80e79dcb63d9efc23555ec
s390x
rh-maven36-bcel-6.3.1-2.3.el7.noarch.rpm
SHA-256: 166d008ba910afae78ff980180781d9fefa1232f6b1a0bb3cd85a457ccdf02ab
rh-maven36-bcel-javadoc-6.3.1-2.3.el7.noarch.rpm
SHA-256: b3b34236b83122b399bd671aea7cbba1954894a3381c0d3fba5e55d5dcb66f72
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7
SRPM
rh-maven36-bcel-6.3.1-2.3.el7.src.rpm
SHA-256: 1c5ebce67e1a43bef181dd77142e9e527e20a2a60a80e79dcb63d9efc23555ec
ppc64le
rh-maven36-bcel-6.3.1-2.3.el7.noarch.rpm
SHA-256: 166d008ba910afae78ff980180781d9fefa1232f6b1a0bb3cd85a457ccdf02ab
rh-maven36-bcel-javadoc-6.3.1-2.3.el7.noarch.rpm
SHA-256: b3b34236b83122b399bd671aea7cbba1954894a3381c0d3fba5e55d5dcb66f72
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7
SRPM
rh-maven36-bcel-6.3.1-2.3.el7.src.rpm
SHA-256: 1c5ebce67e1a43bef181dd77142e9e527e20a2a60a80e79dcb63d9efc23555ec
x86_64
rh-maven36-bcel-6.3.1-2.3.el7.noarch.rpm
SHA-256: 166d008ba910afae78ff980180781d9fefa1232f6b1a0bb3cd85a457ccdf02ab
rh-maven36-bcel-javadoc-6.3.1-2.3.el7.noarch.rpm
SHA-256: b3b34236b83122b399bd671aea7cbba1954894a3381c0d3fba5e55d5dcb66f72
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202405-16 - A vulnerability has been discovered in Apache Commons BCEL, which can lead to remote code execution. Versions greater than or equal to 6.6.0 are affected.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...
Migration Toolkit for Applications 6.0.1 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2021-35065: A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to...
Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).
Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.
Red Hat Security Advisory 2023-0005-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.
Red Hat Security Advisory 2023-0004-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.
An update for bcel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
An update for bcel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
Red Hat Security Advisory 2022-8958-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.
Red Hat Security Advisory 2022-8959-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.
An update for bcel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.