Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:0074: Red Hat Security Advisory: RHV 4.4 SP1 [ovirt-4.5.3-3] security update

Updated RHV packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-30483: isomorphic-git: Directory traversal via a crafted repository
  • CVE-2022-45047: mina-sshd: Java unsafe deserialization vulnerability
Red Hat Security Data
#vulnerability#web#mac#linux#red_hat#apache#nodejs#js#git#java#kubernetes#perl#aws#ssh#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-01-11

Updated:

2023-01-11

RHSA-2023:0074 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated RHV packages that fix several bugs and add various enhancements are now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.

Security fix(es):

  • mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
  • isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778)
  • Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346)
  • Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

Affected Products

  • Red Hat Virtualization Manager 4.4 x86_64
  • Red Hat Virtualization 4 for RHEL 8 x86_64
  • Red Hat Virtualization Host 4 for RHEL 8 x86_64
  • Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le

Fixes

  • BZ - 1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository
  • BZ - 2126778 - Port 3000 blocked between engine and remote DWH with Grafana
  • BZ - 2141371 - Incorrect image chain when deleting an intermediate snapshot
  • BZ - 2144346 - Search returns all entities the permissions allow if the user is not admin
  • BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
  • BZ - 2152015 - Discrepancy tool fails with KeyError
  • BZ - 2152845 - Storage stabilization for 4.5.3

Red Hat Virtualization Manager 4.4

SRPM

apache-sshd-2.9.2-0.1.el8ev.src.rpm

SHA-256: aa2380792a2f8320ce681ea458209b028bde77b6d44d538bc61b08c6c185d9c1

ovirt-engine-4.5.3.5-1.el8ev.src.rpm

SHA-256: 4d1b398ba06a3d76a86374b18c79ca8918c2123a8847aecbca94cb57cc47e50a

ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm

SHA-256: fca95c401ab5b37535550ebddec739b70ee6d15ea91579703c79486e3c021c82

ovirt-web-ui-1.9.3-1.el8ev.src.rpm

SHA-256: 0c81821eae73fba1f04a1fc0ac62c82f8724e56c895396f3c513ac7a4151cdf6

rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm

SHA-256: ec684718bffd6a4c8d4a2a3bac0ee662bf0d511aae54003f91655eba353de40f

x86_64

apache-sshd-2.9.2-0.1.el8ev.noarch.rpm

SHA-256: 112d5c1b9f589310ef57c1f56bf258b35f57bc630d7fa049b5a8db3bdf97fc12

apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm

SHA-256: ec64f18865c71f63fb1cd1a93a1fb597011b62370eac61c90df4cea54caa7fc3

ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 266b261f86928178fa508e48a00046066f0a0799b4db02e43957036456f38798

ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 1b28586aacd240eef958aec1447382512093cdb97324840e9010b8c430580a5b

ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 98ab530ee64884f9a82ccf472577ec47784789b6af49e6de37ccbcd110b9b155

ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: c12290a0b8b0e6baa7e7ce8f93f7eb946556f4a0a80367f0d6c0deef71b4bf72

ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 449b0f296505898f802ef23bbae23597625acc34ea200ac87019b48cda5c1063

ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 04af43d11ce51bb427ad121e856a0ae101fa4762bd2e15670bba7e491d3c2448

ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 686792a6557cf8a8f0a380564d4ade4d8059a866049cc552ff0f4b61a931b7b9

ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 4113c752f08d7e5fb1d200746f6232ea7a156188d0fe10ae01927fd571d93084

ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 657d05dc8a3eb8b65c21c89f0fb7ccf93d039e3842860a6fc30dc977b42b1180

ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: c18d6aa3a2d75b1be64cadacb93d5311c30ed43ccc728cf489df3201edc13674

ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: b8cafd05be13d94f6f40ec1c9493e05933ef6905dc99b65e3fe1884cfb522828

ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 7d937b923ed02a8f6270c80403c8ea1e8bc15b1741c9702c01972829c944e430

ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: ae5f2e4ada944456c3ecd76d2fbfb9eb8572e32d1ac9ec96bf631ba199e0bcef

ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 579c08c5b8c27a0d2b956aeeb36e2da79067315ea2bea35c366450be71f534ab

ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 1d764678cf22e74ac85a3b90dad3cd781b5ffdace8ba60d65bc19a2ada5a12e8

ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm

SHA-256: 67fc6608896dd08809e84ec6ba1057cdfbc8fe7a75ca27054e30ecd16cdaa540

ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: c64e50ce379dfcdef7e2bec4686ee63429036db26a3d7f323e2f8baaf382f9c8

ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: f570769694732dde6543ffef1c5a898b3ee6ce020ea6e12e085a6d23ecc76d11

ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: ea30f613529fba270158c0da6a175c53aebca1e02fb07b22935c24297608a300

ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm

SHA-256: 205c05d259b44b9d1d9fa9d1081d5b884ecbf8d08a68a272c849619681606c99

python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: a9958edc7370d9d7a775cd27a1e25c05b04a5200d6ddfd85f147aa28cec8184d

rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm

SHA-256: 250436893823974490d10a18060ccac482f1fa2d203bf7e4eb5b502efcfe6ce3

rhvm-4.5.3.5-1.el8ev.noarch.rpm

SHA-256: 9154ebb602b591eae73fe5b10b486df88488a476a0241b45f9239e3892c09d1e

Red Hat Virtualization 4 for RHEL 8

SRPM

vdsm-4.50.3.6-1.el8ev.src.rpm

SHA-256: 966d0af029ea034bd4ff0322320df28ceb1c1c262fb3c97f3ca08b4d45e51a81

x86_64

vdsm-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: 09944215fafb8bfb69c5559502fc4fc7355d927a274899dfb6cc26001b249cd2

vdsm-api-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 864c12cb1e6a8251883378e46736eff75da29558d7bc1cf235ed08f871be39ae

vdsm-client-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 2e6a780d175e9d1ab367bd3bde0864ad75e8ef6bf3493d4f9ccec9938e3ba008

vdsm-common-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 6928ddf703dba82d5ce06641edfb9352d537ce36487fcdf29462eec243f8f745

vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: 5e9b8f9d8c5981de9c208807575a34f81250c97170605d3d13cb629aa875bdf4

vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: ad1dacac1e50c89e73da2a5b3415dd662146c4f2f56a68121d6694b8dd606514

vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: c594acb7b116947df745a46b031195955d222bc32fc5f59b0f68579f072dde20

vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 930976038a485e2fd72bc2824e7e98345702fba5df4c3e0bffa1999812d18938

vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: f202ab705b8e259cd943b69af744a60f43d8fdfc1007e30b25369ae7a54842ba

vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 86752963eaef890840d41dbea1ff108f6414573d551b37f1cb82eda743f760cf

vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 09d65962dc21c982ba56c11946422ec5a1f26194b8652abc0964ef408093284f

vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: a169e66a0bce4e919ea6e0fa74b40995a40c5ad2d6b583d9e67f92849f9aee19

vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: ae640765766ab7b553a0f81c4e9f5e4e4af77a9c1b36be1f08b19947beea5aa5

vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: eaa554b7c273e11cc10380ea7a478b45d47a6ae763fda2bd8e96ede7f64601c7

vdsm-http-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 6f06645c2895baf48538fd0548a5fe65bccf03759d1debe2d05a2e5770c9faa4

vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 0f90cad7912de2d35c31581597a8739d0c7fbbad62e2230e026cbb2fa735ebb6

vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: eb96c7a2500cae4421c44b7701635243fdf591cfd3c8757abd4f4a9706ca254a

vdsm-python-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 60cc8145d2375c937d132cadf7513695f4ccfc07043a911fb41ddba7690cd41e

vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 37c347b87f27d79857ad50f42c4f293d9a7efb475259de20a7a10196ac875433

Red Hat Virtualization Host 4 for RHEL 8

SRPM

vdsm-4.50.3.6-1.el8ev.src.rpm

SHA-256: 966d0af029ea034bd4ff0322320df28ceb1c1c262fb3c97f3ca08b4d45e51a81

x86_64

vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: ad1dacac1e50c89e73da2a5b3415dd662146c4f2f56a68121d6694b8dd606514

vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: c594acb7b116947df745a46b031195955d222bc32fc5f59b0f68579f072dde20

vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 930976038a485e2fd72bc2824e7e98345702fba5df4c3e0bffa1999812d18938

vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm

SHA-256: f202ab705b8e259cd943b69af744a60f43d8fdfc1007e30b25369ae7a54842ba

vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 86752963eaef890840d41dbea1ff108f6414573d551b37f1cb82eda743f760cf

vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 09d65962dc21c982ba56c11946422ec5a1f26194b8652abc0964ef408093284f

vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: a169e66a0bce4e919ea6e0fa74b40995a40c5ad2d6b583d9e67f92849f9aee19

vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: ae640765766ab7b553a0f81c4e9f5e4e4af77a9c1b36be1f08b19947beea5aa5

vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: eaa554b7c273e11cc10380ea7a478b45d47a6ae763fda2bd8e96ede7f64601c7

Red Hat Virtualization for IBM Power LE 4 for RHEL 8

SRPM

vdsm-4.50.3.6-1.el8ev.src.rpm

SHA-256: 966d0af029ea034bd4ff0322320df28ceb1c1c262fb3c97f3ca08b4d45e51a81

ppc64le

vdsm-4.50.3.6-1.el8ev.ppc64le.rpm

SHA-256: 9e3ff53b8f37ac8f9e82a8e75bf0cd8f5c498413557ed2090fc00e7538721df8

vdsm-api-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 864c12cb1e6a8251883378e46736eff75da29558d7bc1cf235ed08f871be39ae

vdsm-client-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 2e6a780d175e9d1ab367bd3bde0864ad75e8ef6bf3493d4f9ccec9938e3ba008

vdsm-common-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 6928ddf703dba82d5ce06641edfb9352d537ce36487fcdf29462eec243f8f745

vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm

SHA-256: fa2cb2b03356b242930e6d24520e54f6fb262c8dffe10597cc128f95821007f0

vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: c594acb7b116947df745a46b031195955d222bc32fc5f59b0f68579f072dde20

vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 930976038a485e2fd72bc2824e7e98345702fba5df4c3e0bffa1999812d18938

vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm

SHA-256: ad9367d922a2fe517127c440688bc420a6dc6a0260a8ad58bd11f2e3b0050ea7

vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 86752963eaef890840d41dbea1ff108f6414573d551b37f1cb82eda743f760cf

vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 09d65962dc21c982ba56c11946422ec5a1f26194b8652abc0964ef408093284f

vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: a169e66a0bce4e919ea6e0fa74b40995a40c5ad2d6b583d9e67f92849f9aee19

vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: ae640765766ab7b553a0f81c4e9f5e4e4af77a9c1b36be1f08b19947beea5aa5

vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: eaa554b7c273e11cc10380ea7a478b45d47a6ae763fda2bd8e96ede7f64601c7

vdsm-http-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 6f06645c2895baf48538fd0548a5fe65bccf03759d1debe2d05a2e5770c9faa4

vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 0f90cad7912de2d35c31581597a8739d0c7fbbad62e2230e026cbb2fa735ebb6

vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm

SHA-256: 4ab9809e8a10e8b537a2f662d0fcbee3ee1eac4e36d2d5403b00353ab117c247

vdsm-python-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 60cc8145d2375c937d132cadf7513695f4ccfc07043a911fb41ddba7690cd41e

vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm

SHA-256: 37c347b87f27d79857ad50f42c4f293d9a7efb475259de20a7a10196ac875433

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-5396-01

Red Hat Security Advisory 2023-5396-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Issues addressed include a denial of service vulnerability.

CVE-2022-4039

A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.

RHSA-2023:4983: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-30129: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 * CVE-2022-3171: A parsing issue with binary data in protobuf-java core and...

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:3641: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections. * CVE-2022-38749: A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remot...

RHSA-2023:3198: Red Hat Security Advisory: jenkins and jenkins-2-plugins security update

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26291: A flaw was found in maven. Repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that r...

CVE-2023-21954: Oracle Critical Patch Update Advisory - April 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...

RHSA-2023:1064: Red Hat Security Advisory: OpenShift Developer Tools and Services for OCP 4.12 security update

An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29047: A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline be...

Red Hat Security Advisory 2023-1045-01

Red Hat Security Advisory 2023-1045-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

Red Hat Security Advisory 2023-1044-01

Red Hat Security Advisory 2023-1044-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

RHSA-2023:1049: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

RHSA-2023:1047: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update

A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jque...

RHSA-2023:1045: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

Red Hat Security Advisory 2023-0778-01

Red Hat Security Advisory 2023-0778-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.56.

RHSA-2023:0777: Red Hat Security Advisory: OpenShift Container Platform 4.9.56 security update

Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enou...

RHSA-2023:0758: Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE). * CVE-2022-41881: A flaw was found in codec-haproxy from the Netty project....

Red Hat Security Advisory 2023-0713-01

Red Hat Security Advisory 2023-0713-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Issues addressed include denial of service and deserialization vulnerabilities.

Red Hat Security Advisory 2023-0560-01

Red Hat Security Advisory 2023-0560-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include bypass, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.

RHSA-2023:0560: Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update

Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the ...

Red Hat Security Advisory 2023-0553-01

Red Hat Security Advisory 2023-0553-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-0552-01

Red Hat Security Advisory 2023-0552-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-0554-01

Red Hat Security Advisory 2023-0554-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-0556-01

Red Hat Security Advisory 2023-0556-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

RHSA-2023:0556: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9251: jquery: Cross-site scripting via cross-domain ajax requests * CVE-2016-10735: bootstrap: XSS in the data-target attribute * CVE-2017-18214: nodejs-moment: Regular expression denial of service * CVE-2018-14040: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute * CVE-2018-14041: bootstrap: Cross-site Scripting (...

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2022-8957-01

Red Hat Security Advisory 2022-8957-01 - This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include a deserialization vulnerability.

RHSA-2022:8957: Red Hat Security Advisory: Red Hat build of Quarkus Platform 2.7.6.SP3 and security update

An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4116: quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE * CVE-2022-4147: quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus * CVE-2022-45047: mina-sshd: Java unsafe deserialization vulnerability

CVE-2022-45047: CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.