Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:0261: Red Hat Security Advisory: Satellite 6.12.1 Async Security Update

Updated Satellite 6.12 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-32224: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
  • CVE-2022-42889: apache-commons-text: variable interpolation RCE
Red Hat Security Data
#sql#web#linux#red_hat#apache#rce#vmware#ruby#postgres#sap

Synopsis

Critical: Satellite 6.12.1 Async Security Update

Type/Severity

Security Advisory: Critical

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated Satellite 6.12 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite.

Description

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security fix(es):
tfm-rubygem-activerecord: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record (CVE-2022-32224)
candlepin: apache-commons-text: variable interpolation RCE (CVE-2022-42889)

This update fixes the following bugs:
2082209 - Another deadlock issue when syncing repos with high concurrency
2141308 - It appears that the egg is downloaded every time
2150069 - With every edit of an exising webhook, the value in password field disappears in Satellite 6.10/6.11/6.12
2150108 - Satellite-clone not working if ansible-core 2.13 is installed
2150111 - Insights recommendation sync failing in Satelliite
2150112 - Random failure of Inventory Sync
2150114 - Insights-client --register --verbose throwing error UnicodeEncodeError: ‘ascii’ codec can’t encode character ‘\ufffd’ in position 94: ordinal not in range(128)
2150118 - Error “no certificate or crl found” when using a http proxy as “Default Http Proxy” for content syncing or manifest operations in Satellite 6.12
2150119 - Content view publish fails when the content view and repository both have a large name with : Error message: the server returns an error HTTP status code: 500
2150123 = Inspecting an image with skopeo no longer works on Capsules
2150125 - Syncable exports across partitions causes ' Invalid cross-device link’ error
2150120 - Upgrade to Satellite 6.12 may fail to apply RemoveDrpmFromIgnorableContent migration if erratum is also a ignorable content type for any repo

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Satellite 6.12 x86_64
  • Red Hat Satellite Capsule 6.12 x86_64
  • Red Hat Enterprise Linux for x86_64 8 x86_64

Fixes

  • BZ - 2082209 - Another deadlock issue when syncing repos with high concurrency
  • BZ - 2108997 - CVE-2022-32224 activerecord: Possible RCE escalation bug with Serialized Columns in Active Record
  • BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
  • BZ - 2141308 - It appears that the egg is downloaded every time
  • BZ - 2150069 - With every edit of an exising webhook, the value in password field disappears in Satellite 6.10/6.11/6.12
  • BZ - 2150108 - Satellite-clone not working if ansible-core 2.13 is installed
  • BZ - 2150111 - Insights recommendation sync failing in Satelliite
  • BZ - 2150112 - random failure of Inventory Sync
  • BZ - 2150114 - insights-client --register --verbose throwing error UnicodeEncodeError: ‘ascii’ codec can’t encode character ‘\ufffd’ in position 94: ordinal not in range(128)
  • BZ - 2150118 - Error “no certificate or crl found” when using a http proxy as “Default Http Proxy” for content syncing or manifest operations in Satellite 6.12
  • BZ - 2150119 - Content view publish fails when the content view and repository both have a large name with : Error message: the server returns an error HTTP status code: 500
  • BZ - 2150120 - Upgrade to Satellite 6.12 may fail to apply RemoveDrpmFromIgnorableContent migration if erratum is also a ignorable content type for any repo
  • BZ - 2150123 - Inspecting an image with skopeo no longer works on Capsules
  • BZ - 2150125 - Syncable exports across partitions causes ' Invalid cross-device link’ error

Red Hat Satellite 6.12

SRPM

candlepin-4.1.18-1.el8sat.src.rpm

SHA-256: 561247230ff7e99d896d552b778d65233262c545959d54276687893e87f3b594

foreman-3.3.0.18-1.el8sat.src.rpm

SHA-256: fedd2d422f03e8d6232e89b00f38f8403471e2644e954185b87d1c15f89d32cb

python-pulp-container-2.10.10-1.el8pc.src.rpm

SHA-256: cd6f1a17d6265dba862589d60eea2b0d74ba050b5571095f83f78204c9bcd5fb

python-pulp-rpm-3.18.9-1.el8pc.src.rpm

SHA-256: 2dc0012a268125b99d449b4df3b171aaf72aff195d40acc87159f35b15a7ca2a

python-pulpcore-3.18.11-1.el8pc.src.rpm

SHA-256: d8b01c749458a2b90808404a49911c1bd35fdb5962c7595d601f09678b20f794

rubygem-actioncable-6.0.6-2.el8sat.src.rpm

SHA-256: 31e6d11e7b7f501b8020fa9f005c64519db0d02cada6c968bd843c60e9219c81

rubygem-actionmailbox-6.0.6-2.el8sat.src.rpm

SHA-256: a84be9c95cfe5be3f847a315006f1c2a282b558a8198105a73e7425680cc2fc8

rubygem-actionmailer-6.0.6-2.el8sat.src.rpm

SHA-256: 2588a0dfb56baa39163e9431abf6ce4a4ff19f9b4a811a10c2298628ab7d7de7

rubygem-actionpack-6.0.6-2.el8sat.src.rpm

SHA-256: 291404d5ceb98943360b945cadfc05f6e8181d27d9cbded940dd46c8226be6f7

rubygem-actiontext-6.0.6-2.el8sat.src.rpm

SHA-256: 0416ec87b4bdbc802684079b5b3a8b4975d3c823930a0a2287769c23a0fc33df

rubygem-actionview-6.0.6-2.el8sat.src.rpm

SHA-256: 8a65dbaf02d7de8dc710f38f2d0747f345b898c5ebbd68887f28f0f647e58be9

rubygem-activejob-6.0.6-2.el8sat.src.rpm

SHA-256: 05a6e14278b156027feece0993c12f1f8586ac77c181fbe165c2c863dbe37984

rubygem-activemodel-6.0.6-2.el8sat.src.rpm

SHA-256: 62e905bd51bf4d9494940e56098f9bab0d2cd5104201df450c445f261f4618c9

rubygem-activerecord-6.0.6-2.el8sat.src.rpm

SHA-256: 2e8d82c5ca535a5bcd4dac5e5827a8b1259b3021ebd094defcc7036d4eb53c90

rubygem-activestorage-6.0.6-2.el8sat.src.rpm

SHA-256: 78761daf5ed5b844e1bfe709a0e6fed95f17f487b33e00495343e58609b92d6c

rubygem-activesupport-6.0.6-1.el8sat.src.rpm

SHA-256: 46cc47a6c0f4441912db3cad29c64fa0c4dd4edeff8737cbe55f624711da4a13

rubygem-foreman_rh_cloud-6.0.44-1.el8sat.src.rpm

SHA-256: 21ae39df61498bac2a3a218d3d15407dc333e71c20c31251eee30ebeab3300ad

rubygem-foreman_webhooks-3.0.5-1.1.el8sat.src.rpm

SHA-256: de85af8510b4e1a02b6243716caabf975fa37ab4f7df294c0d5844e8d58b6a7b

rubygem-katello-4.5.0.22-1.el8sat.src.rpm

SHA-256: 618d8bd5ccde392c8d3b10aa86592787f2a44b1f229a8b068024ddced1f784c6

rubygem-rails-6.0.6-2.el8sat.src.rpm

SHA-256: 30f5170b2ff9706a90dda033246b1f846189bd9d0b64cbe3fa7f5daa363d64fc

rubygem-railties-6.0.6-2.el8sat.src.rpm

SHA-256: 3575df4fdd8338a7bc01c858997acd5213f043c87fc6d894e5d4e846f4142e72

rubygem-smart_proxy_container_gateway-1.0.7-1.el8sat.src.rpm

SHA-256: d25225fe207575004785594c7a797968efb5f3dc463fa5618824911825029226

satellite-6.12.1-1.el8sat.src.rpm

SHA-256: 3a3be1e9d607f32dac9448f424ff0d51aac25197b0d7f5ec242a384e2d0a6963

x86_64

candlepin-4.1.18-1.el8sat.noarch.rpm

SHA-256: ad6022877cc9f56e0fd77ef5e7a81e4a8db8c18f245e0eb8aa254123ffe275fb

candlepin-selinux-4.1.18-1.el8sat.noarch.rpm

SHA-256: 0ca2b61fcb707865846579c16b299a76fc273389ded9883eaf2319abd6e8a547

foreman-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: cc4881c84b6f510ca4b7f16cd5a854093946a211e98e37d107a7c663da1bbec6

foreman-cli-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 205e3b4d18a357980881d6ece2a7d8a0fbe5fb9ad10f6e27e7dbc3353ee0f15c

foreman-debug-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 12bfe44c71f91bce4f9d14d2d04bd73454abe848e777f7dfe4dd7e243040528f

foreman-dynflow-sidekiq-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 9ca1157f3a5712cd423f2f4ac46668cc4d6436d24ade3ad431d1b1f1aa877582

foreman-ec2-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 9045c95764132129268681096fd5b078b6a0b0448a44bc3efcd831d414676f01

foreman-gce-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 5e442082e1caf66809b0c81e8725f41f08558868432d9accec993664d21f0ec2

foreman-journald-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: a3c9a2a87c092351ad7e690c8aab45a54cd22b1c8db7c64b2213d2e8ec6f462a

foreman-libvirt-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 9315d10a519fe92875e791a4b99320417eb84149615134188624cd0aedab430d

foreman-openstack-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: a6ec4bf9aee78505ff44b1c55a587fbda9d8234d5a7575d836e85fdbcf2dedb7

foreman-ovirt-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 552ccff0a3775a1fa4eb493bd43e4d936db20c8fd1e0cf70d9f18db944aff8b2

foreman-postgresql-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 9eb3601c3a49356a63a366a112b04b00a160e7ee6e92eee8a8c83a23d4004507

foreman-service-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 3e72402b6cedd95ad6e37d461fa7ff31a1aeb9d4e9627c9875361fc5fa4c542e

foreman-telemetry-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 979605e7187ecfab5e36511066f26550c7ce92936031738a46f414e4378bf20d

foreman-vmware-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 9a66da85a2170d226d4c3038a4f5559ea39069546bf8c40e8e2aec9223bdb450

python39-pulp-container-2.10.10-1.el8pc.noarch.rpm

SHA-256: 84ac2ee7857074b971a185187e780b912340724a48263f87668d7430cf010c65

python39-pulp-rpm-3.18.9-1.el8pc.noarch.rpm

SHA-256: 64f3223da865364ce4cbae63de6cf4d691861422b1466db88149b0cf6dbd68ba

python39-pulpcore-3.18.11-1.el8pc.noarch.rpm

SHA-256: 7a3d202d96fad2122e932da115effcda999e74a5675476090912efc18caa9786

rubygem-actioncable-6.0.6-2.el8sat.noarch.rpm

SHA-256: 87fdd5dbb54c1d1be1df75e65d684aacd463370c87faffbef22e36a18c371379

rubygem-actionmailbox-6.0.6-2.el8sat.noarch.rpm

SHA-256: 0ab3af02733d5c62242f20acf3dd14354bdbffe4bcacb5361c5505cb7af86f9d

rubygem-actionmailer-6.0.6-2.el8sat.noarch.rpm

SHA-256: c02f7d419efd182714ee93565f47c30f9929d497b85e328e97bee0eddf28281e

rubygem-actionpack-6.0.6-2.el8sat.noarch.rpm

SHA-256: d30eaf11aa6c569471fe12caddf8839dc63f68c4ef164cf68660a3e636e00d19

rubygem-actiontext-6.0.6-2.el8sat.noarch.rpm

SHA-256: e091583c278829928256e34f4fe0d3a5b3ab4d5f2fa8cc3523a0db40d06ed714

rubygem-actionview-6.0.6-2.el8sat.noarch.rpm

SHA-256: a0465479f248bcb4a33a8ed488e88234bd47a60256eeb9a00efaa94c370c0a41

rubygem-activejob-6.0.6-2.el8sat.noarch.rpm

SHA-256: 5e6b5a917aa551ff9d789e28a9b700bf080ae1159b17182bc2c768a6d9876321

rubygem-activemodel-6.0.6-2.el8sat.noarch.rpm

SHA-256: 78fa3666ac1ce42086bdac74f578dab4a16fcd7feb58bf76019ffe485f572e76

rubygem-activerecord-6.0.6-2.el8sat.noarch.rpm

SHA-256: 911e8f4e956f76e7cc48e69228e657a5a2f06447e21316937e3bca8a14786991

rubygem-activestorage-6.0.6-2.el8sat.noarch.rpm

SHA-256: 8db60be83a38c85daa190c321496b22bad2071155b801d2a4dd55f88a63a32f5

rubygem-activesupport-6.0.6-1.el8sat.noarch.rpm

SHA-256: 8aef3959423815b7d2de7d172ef1ccd11e1b46a91996d455d574303fa9d1852a

rubygem-foreman_rh_cloud-6.0.44-1.el8sat.noarch.rpm

SHA-256: fc3e08af550705c15d38ca9d2b345c966faa181e27f8d0fed4ce59519ee76ade

rubygem-foreman_webhooks-3.0.5-1.1.el8sat.noarch.rpm

SHA-256: c1a15ab29873724656df5fa0c7fbfcf54db22dc980be672049b6da20503f5cda

rubygem-katello-4.5.0.22-1.el8sat.noarch.rpm

SHA-256: b5dc595c446d3b09cfbd1ca3e560f0e2cea1a0d43f1cbf008e8b167e94fd1bbe

rubygem-rails-6.0.6-2.el8sat.noarch.rpm

SHA-256: a418543b5598a97abc6b39732fb304dc0ac757ec6043d25de8ee8b6462db1668

rubygem-railties-6.0.6-2.el8sat.noarch.rpm

SHA-256: abe0556b0565b81d09e6f6699fd5ab2b161681a9a0c915ae88f4f0e996dd8574

rubygem-smart_proxy_container_gateway-1.0.7-1.el8sat.noarch.rpm

SHA-256: ef5b233817897809d1b706f5fdb7fe695d93107caf3134b996fe2901a5cbbe09

satellite-6.12.1-1.el8sat.noarch.rpm

SHA-256: 3c81b543f57e0f682d70fbd5e46670ca6eaffd6aa976295c295f1cf1f973fc02

satellite-cli-6.12.1-1.el8sat.noarch.rpm

SHA-256: 87c5539d875d7078c78db6fed2e1afdcf304413f23d1d05f99aa491da223ab46

satellite-common-6.12.1-1.el8sat.noarch.rpm

SHA-256: 60dfe63c002eb68116467abbc06bc6d0c9d8d9fff706d08bbf41075ac4a0f725

Red Hat Satellite Capsule 6.12

SRPM

foreman-3.3.0.18-1.el8sat.src.rpm

SHA-256: fedd2d422f03e8d6232e89b00f38f8403471e2644e954185b87d1c15f89d32cb

python-pulp-container-2.10.10-1.el8pc.src.rpm

SHA-256: cd6f1a17d6265dba862589d60eea2b0d74ba050b5571095f83f78204c9bcd5fb

python-pulp-rpm-3.18.9-1.el8pc.src.rpm

SHA-256: 2dc0012a268125b99d449b4df3b171aaf72aff195d40acc87159f35b15a7ca2a

python-pulpcore-3.18.11-1.el8pc.src.rpm

SHA-256: d8b01c749458a2b90808404a49911c1bd35fdb5962c7595d601f09678b20f794

rubygem-smart_proxy_container_gateway-1.0.7-1.el8sat.src.rpm

SHA-256: d25225fe207575004785594c7a797968efb5f3dc463fa5618824911825029226

satellite-6.12.1-1.el8sat.src.rpm

SHA-256: 3a3be1e9d607f32dac9448f424ff0d51aac25197b0d7f5ec242a384e2d0a6963

x86_64

foreman-debug-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 12bfe44c71f91bce4f9d14d2d04bd73454abe848e777f7dfe4dd7e243040528f

python39-pulp-container-2.10.10-1.el8pc.noarch.rpm

SHA-256: 84ac2ee7857074b971a185187e780b912340724a48263f87668d7430cf010c65

python39-pulp-rpm-3.18.9-1.el8pc.noarch.rpm

SHA-256: 64f3223da865364ce4cbae63de6cf4d691861422b1466db88149b0cf6dbd68ba

python39-pulpcore-3.18.11-1.el8pc.noarch.rpm

SHA-256: 7a3d202d96fad2122e932da115effcda999e74a5675476090912efc18caa9786

rubygem-smart_proxy_container_gateway-1.0.7-1.el8sat.noarch.rpm

SHA-256: ef5b233817897809d1b706f5fdb7fe695d93107caf3134b996fe2901a5cbbe09

satellite-capsule-6.12.1-1.el8sat.noarch.rpm

SHA-256: 80e346fa27f5791e671843f9b4d16c9b9e029703497cc911bae6d1576d8a8350

satellite-common-6.12.1-1.el8sat.noarch.rpm

SHA-256: 60dfe63c002eb68116467abbc06bc6d0c9d8d9fff706d08bbf41075ac4a0f725

Red Hat Enterprise Linux for x86_64 8

SRPM

foreman-3.3.0.18-1.el8sat.src.rpm

SHA-256: fedd2d422f03e8d6232e89b00f38f8403471e2644e954185b87d1c15f89d32cb

satellite-6.12.1-1.el8sat.src.rpm

SHA-256: 3a3be1e9d607f32dac9448f424ff0d51aac25197b0d7f5ec242a384e2d0a6963

satellite-clone-3.2.0-2.el8sat.src.rpm

SHA-256: 36047acaca260efa34761fc1ead8175b1a7f8cffdb327955ef030bb164c22037

x86_64

foreman-cli-3.3.0.18-1.el8sat.noarch.rpm

SHA-256: 205e3b4d18a357980881d6ece2a7d8a0fbe5fb9ad10f6e27e7dbc3353ee0f15c

satellite-cli-6.12.1-1.el8sat.noarch.rpm

SHA-256: 87c5539d875d7078c78db6fed2e1afdcf304413f23d1d05f99aa491da223ab46

satellite-clone-3.2.0-2.el8sat.noarch.rpm

SHA-256: fc63c6aeb9601abee4d260e0046984aad80926a5130023fd92dca8af031e50cc

Related news

Gentoo Linux Security Advisory 202408-24

Gentoo Linux Security Advisory 202408-24 - A vulnerability has been discovered in Ruby on Rails, which can lead to remote code execution via serialization of data. Versions greater than or equal to 6.1.6.1:6.1 are affected.

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

Red Hat Security Advisory 2023-7288-01

Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

CVE-2023-2541: Security Advisories | KNIME

The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

Red Hat Security Advisory 2023-3195-01

Red Hat Security Advisory 2023-3195-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, information leakage, and insecure permissions vulnerabilities.

Red Hat Security Advisory 2023-3198-01

Red Hat Security Advisory 2023-3198-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, information leakage, and insecure permissions vulnerabilities.

Red Hat Security Advisory 2023-2097-03

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

Red Hat Security Advisory 2023-1656-01

Red Hat Security Advisory 2023-1656-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.56.

RHSA-2023:1525: Red Hat Security Advisory: OpenShift Container Platform 4.9.59 security update

Red Hat OpenShift Container Platform release 4.9.59 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documen...

Red Hat Security Advisory 2023-1151-01

Red Hat Security Advisory 2023-1151-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

RHSA-2023:1151: Red Hat Security Advisory: Satellite 6.11.5 Async Security Update

Updated Satellite 6.11 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32224: An insecure deserialization flaw was found in Active Record, which uses YAML.unsafe_load to convert the YAML data into Ruby objects. An attacker supplying crafted data to the database can perform remote code execution (RCE), resulting in complete system compromise.

OX App Suite Cross Site Scripting / Server-Side Request Forgery

OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.

RHSA-2023:0469: Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2

Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40149: jettison: parser crash by stackoverflow * CVE-2022-40150: jettison: memory exhaustion via user-supplied XML or JSON data * CVE-2022-40151: xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks * CVE-2022-40152: woodstox-core: woodstox to...

Red Hat Security Advisory 2023-0261-02

Red Hat Security Advisory 2023-0261-02 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Red Hat Security Advisory 2023-0261-02

Red Hat Security Advisory 2023-0261-02 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2022-39166: IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889]

IBM Security Guardium 11.4 could allow a privileged user to obtain sensitive information inside of an HTTP response. IBM X-Force ID: 235405.

Red Hat Security Advisory 2022-8902-01

Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.

RHSA-2022:8902: Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.18.3 release and security update

A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25897: sdk-server: Denial of Service * CVE-2022-31684: reactor-netty-http: Log request headers in some cases of invalid HTTP requests * CVE-2022-42889: apache-commons-text: variable interpolation RCE

RHSA-2022:8876: Red Hat Security Advisory: Red Hat AMQ Broker 7.10.2 release and security update

Red Hat AMQ Broker 7.10.2 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-38749: snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode * CVE-2022-38750: snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject * CVE-2022-38751: snakeyaml: Uncaugh...

CVE-2022-32224: [CVE-2022-32224] Possible RCE escalation bug with Serialized Columns in Active Record

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

CVE-2022-44749: Security Advisories | KNIME

A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.

Exploit Attempts Underway for Apache Commons Text4Shell Vulnerability

The good news: The Apache Commons Text library bug is far less likely to lead to exploitation than last year's Log4j library flaw.

Apache Commons Vulnerability: Patch but Don't Panic

Experts say CVE-2022-42899 is a serious vulnerability, but widespread exploitation is unlikely because of the specific conditions that need to exist for it to happen.

Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.

CVE-2022-36006: Arvados 2.4.2 Release Notes

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.

GHSA-3hhc-qp5v-9p2j: RCE bug with Serialized Columns in Active Record

When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. There are no feasible workarounds for this issue, but other coders (such as JSON) are not impacted.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.