Headline
RHSA-2023:0074: Red Hat Security Advisory: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Updated RHV packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-30483: isomorphic-git: Directory traversal via a crafted repository
- CVE-2022-45047: mina-sshd: Java unsafe deserialization vulnerability
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-01-11
Updated:
2023-01-11
RHSA-2023:0074 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated RHV packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security fix(es):
- mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
- isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778)
- Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346)
- Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371)
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/2974891
Affected Products
- Red Hat Virtualization Manager 4.4 x86_64
- Red Hat Virtualization 4 for RHEL 8 x86_64
- Red Hat Virtualization Host 4 for RHEL 8 x86_64
- Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le
Fixes
- BZ - 1988539 - CVE-2021-30483 isomorphic-git: Directory traversal via a crafted repository
- BZ - 2126778 - Port 3000 blocked between engine and remote DWH with Grafana
- BZ - 2141371 - Incorrect image chain when deleting an intermediate snapshot
- BZ - 2144346 - Search returns all entities the permissions allow if the user is not admin
- BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
- BZ - 2152015 - Discrepancy tool fails with KeyError
- BZ - 2152845 - Storage stabilization for 4.5.3
Red Hat Virtualization Manager 4.4
SRPM
apache-sshd-2.9.2-0.1.el8ev.src.rpm
SHA-256: aa2380792a2f8320ce681ea458209b028bde77b6d44d538bc61b08c6c185d9c1
ovirt-engine-4.5.3.5-1.el8ev.src.rpm
SHA-256: 4d1b398ba06a3d76a86374b18c79ca8918c2123a8847aecbca94cb57cc47e50a
ovirt-engine-ui-extensions-1.3.7-1.el8ev.src.rpm
SHA-256: fca95c401ab5b37535550ebddec739b70ee6d15ea91579703c79486e3c021c82
ovirt-web-ui-1.9.3-1.el8ev.src.rpm
SHA-256: 0c81821eae73fba1f04a1fc0ac62c82f8724e56c895396f3c513ac7a4151cdf6
rhv-log-collector-analyzer-1.0.16-1.el8ev.src.rpm
SHA-256: ec684718bffd6a4c8d4a2a3bac0ee662bf0d511aae54003f91655eba353de40f
x86_64
apache-sshd-2.9.2-0.1.el8ev.noarch.rpm
SHA-256: 112d5c1b9f589310ef57c1f56bf258b35f57bc630d7fa049b5a8db3bdf97fc12
apache-sshd-javadoc-2.9.2-0.1.el8ev.noarch.rpm
SHA-256: ec64f18865c71f63fb1cd1a93a1fb597011b62370eac61c90df4cea54caa7fc3
ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 266b261f86928178fa508e48a00046066f0a0799b4db02e43957036456f38798
ovirt-engine-backend-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 1b28586aacd240eef958aec1447382512093cdb97324840e9010b8c430580a5b
ovirt-engine-dbscripts-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 98ab530ee64884f9a82ccf472577ec47784789b6af49e6de37ccbcd110b9b155
ovirt-engine-health-check-bundler-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: c12290a0b8b0e6baa7e7ce8f93f7eb946556f4a0a80367f0d6c0deef71b4bf72
ovirt-engine-restapi-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 449b0f296505898f802ef23bbae23597625acc34ea200ac87019b48cda5c1063
ovirt-engine-setup-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 04af43d11ce51bb427ad121e856a0ae101fa4762bd2e15670bba7e491d3c2448
ovirt-engine-setup-base-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 686792a6557cf8a8f0a380564d4ade4d8059a866049cc552ff0f4b61a931b7b9
ovirt-engine-setup-plugin-cinderlib-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 4113c752f08d7e5fb1d200746f6232ea7a156188d0fe10ae01927fd571d93084
ovirt-engine-setup-plugin-imageio-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 657d05dc8a3eb8b65c21c89f0fb7ccf93d039e3842860a6fc30dc977b42b1180
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: c18d6aa3a2d75b1be64cadacb93d5311c30ed43ccc728cf489df3201edc13674
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: b8cafd05be13d94f6f40ec1c9493e05933ef6905dc99b65e3fe1884cfb522828
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 7d937b923ed02a8f6270c80403c8ea1e8bc15b1741c9702c01972829c944e430
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: ae5f2e4ada944456c3ecd76d2fbfb9eb8572e32d1ac9ec96bf631ba199e0bcef
ovirt-engine-tools-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 579c08c5b8c27a0d2b956aeeb36e2da79067315ea2bea35c366450be71f534ab
ovirt-engine-tools-backup-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 1d764678cf22e74ac85a3b90dad3cd781b5ffdace8ba60d65bc19a2ada5a12e8
ovirt-engine-ui-extensions-1.3.7-1.el8ev.noarch.rpm
SHA-256: 67fc6608896dd08809e84ec6ba1057cdfbc8fe7a75ca27054e30ecd16cdaa540
ovirt-engine-vmconsole-proxy-helper-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: c64e50ce379dfcdef7e2bec4686ee63429036db26a3d7f323e2f8baaf382f9c8
ovirt-engine-webadmin-portal-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: f570769694732dde6543ffef1c5a898b3ee6ce020ea6e12e085a6d23ecc76d11
ovirt-engine-websocket-proxy-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: ea30f613529fba270158c0da6a175c53aebca1e02fb07b22935c24297608a300
ovirt-web-ui-1.9.3-1.el8ev.noarch.rpm
SHA-256: 205c05d259b44b9d1d9fa9d1081d5b884ecbf8d08a68a272c849619681606c99
python3-ovirt-engine-lib-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: a9958edc7370d9d7a775cd27a1e25c05b04a5200d6ddfd85f147aa28cec8184d
rhv-log-collector-analyzer-1.0.16-1.el8ev.noarch.rpm
SHA-256: 250436893823974490d10a18060ccac482f1fa2d203bf7e4eb5b502efcfe6ce3
rhvm-4.5.3.5-1.el8ev.noarch.rpm
SHA-256: 9154ebb602b591eae73fe5b10b486df88488a476a0241b45f9239e3892c09d1e
Red Hat Virtualization 4 for RHEL 8
SRPM
vdsm-4.50.3.6-1.el8ev.src.rpm
SHA-256: 966d0af029ea034bd4ff0322320df28ceb1c1c262fb3c97f3ca08b4d45e51a81
x86_64
vdsm-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: 09944215fafb8bfb69c5559502fc4fc7355d927a274899dfb6cc26001b249cd2
vdsm-api-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 864c12cb1e6a8251883378e46736eff75da29558d7bc1cf235ed08f871be39ae
vdsm-client-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 2e6a780d175e9d1ab367bd3bde0864ad75e8ef6bf3493d4f9ccec9938e3ba008
vdsm-common-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 6928ddf703dba82d5ce06641edfb9352d537ce36487fcdf29462eec243f8f745
vdsm-gluster-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: 5e9b8f9d8c5981de9c208807575a34f81250c97170605d3d13cb629aa875bdf4
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: ad1dacac1e50c89e73da2a5b3415dd662146c4f2f56a68121d6694b8dd606514
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: c594acb7b116947df745a46b031195955d222bc32fc5f59b0f68579f072dde20
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 930976038a485e2fd72bc2824e7e98345702fba5df4c3e0bffa1999812d18938
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: f202ab705b8e259cd943b69af744a60f43d8fdfc1007e30b25369ae7a54842ba
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 86752963eaef890840d41dbea1ff108f6414573d551b37f1cb82eda743f760cf
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 09d65962dc21c982ba56c11946422ec5a1f26194b8652abc0964ef408093284f
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: a169e66a0bce4e919ea6e0fa74b40995a40c5ad2d6b583d9e67f92849f9aee19
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: ae640765766ab7b553a0f81c4e9f5e4e4af77a9c1b36be1f08b19947beea5aa5
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: eaa554b7c273e11cc10380ea7a478b45d47a6ae763fda2bd8e96ede7f64601c7
vdsm-http-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 6f06645c2895baf48538fd0548a5fe65bccf03759d1debe2d05a2e5770c9faa4
vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 0f90cad7912de2d35c31581597a8739d0c7fbbad62e2230e026cbb2fa735ebb6
vdsm-network-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: eb96c7a2500cae4421c44b7701635243fdf591cfd3c8757abd4f4a9706ca254a
vdsm-python-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 60cc8145d2375c937d132cadf7513695f4ccfc07043a911fb41ddba7690cd41e
vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 37c347b87f27d79857ad50f42c4f293d9a7efb475259de20a7a10196ac875433
Red Hat Virtualization Host 4 for RHEL 8
SRPM
vdsm-4.50.3.6-1.el8ev.src.rpm
SHA-256: 966d0af029ea034bd4ff0322320df28ceb1c1c262fb3c97f3ca08b4d45e51a81
x86_64
vdsm-hook-checkips-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: ad1dacac1e50c89e73da2a5b3415dd662146c4f2f56a68121d6694b8dd606514
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: c594acb7b116947df745a46b031195955d222bc32fc5f59b0f68579f072dde20
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 930976038a485e2fd72bc2824e7e98345702fba5df4c3e0bffa1999812d18938
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.x86_64.rpm
SHA-256: f202ab705b8e259cd943b69af744a60f43d8fdfc1007e30b25369ae7a54842ba
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 86752963eaef890840d41dbea1ff108f6414573d551b37f1cb82eda743f760cf
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 09d65962dc21c982ba56c11946422ec5a1f26194b8652abc0964ef408093284f
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: a169e66a0bce4e919ea6e0fa74b40995a40c5ad2d6b583d9e67f92849f9aee19
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: ae640765766ab7b553a0f81c4e9f5e4e4af77a9c1b36be1f08b19947beea5aa5
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: eaa554b7c273e11cc10380ea7a478b45d47a6ae763fda2bd8e96ede7f64601c7
Red Hat Virtualization for IBM Power LE 4 for RHEL 8
SRPM
vdsm-4.50.3.6-1.el8ev.src.rpm
SHA-256: 966d0af029ea034bd4ff0322320df28ceb1c1c262fb3c97f3ca08b4d45e51a81
ppc64le
vdsm-4.50.3.6-1.el8ev.ppc64le.rpm
SHA-256: 9e3ff53b8f37ac8f9e82a8e75bf0cd8f5c498413557ed2090fc00e7538721df8
vdsm-api-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 864c12cb1e6a8251883378e46736eff75da29558d7bc1cf235ed08f871be39ae
vdsm-client-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 2e6a780d175e9d1ab367bd3bde0864ad75e8ef6bf3493d4f9ccec9938e3ba008
vdsm-common-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 6928ddf703dba82d5ce06641edfb9352d537ce36487fcdf29462eec243f8f745
vdsm-hook-checkips-4.50.3.6-1.el8ev.ppc64le.rpm
SHA-256: fa2cb2b03356b242930e6d24520e54f6fb262c8dffe10597cc128f95821007f0
vdsm-hook-cpuflags-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: c594acb7b116947df745a46b031195955d222bc32fc5f59b0f68579f072dde20
vdsm-hook-ethtool-options-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 930976038a485e2fd72bc2824e7e98345702fba5df4c3e0bffa1999812d18938
vdsm-hook-extra-ipv4-addrs-4.50.3.6-1.el8ev.ppc64le.rpm
SHA-256: ad9367d922a2fe517127c440688bc420a6dc6a0260a8ad58bd11f2e3b0050ea7
vdsm-hook-fcoe-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 86752963eaef890840d41dbea1ff108f6414573d551b37f1cb82eda743f760cf
vdsm-hook-localdisk-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 09d65962dc21c982ba56c11946422ec5a1f26194b8652abc0964ef408093284f
vdsm-hook-nestedvt-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: a169e66a0bce4e919ea6e0fa74b40995a40c5ad2d6b583d9e67f92849f9aee19
vdsm-hook-openstacknet-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: ae640765766ab7b553a0f81c4e9f5e4e4af77a9c1b36be1f08b19947beea5aa5
vdsm-hook-vhostmd-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: eaa554b7c273e11cc10380ea7a478b45d47a6ae763fda2bd8e96ede7f64601c7
vdsm-http-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 6f06645c2895baf48538fd0548a5fe65bccf03759d1debe2d05a2e5770c9faa4
vdsm-jsonrpc-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 0f90cad7912de2d35c31581597a8739d0c7fbbad62e2230e026cbb2fa735ebb6
vdsm-network-4.50.3.6-1.el8ev.ppc64le.rpm
SHA-256: 4ab9809e8a10e8b537a2f662d0fcbee3ee1eac4e36d2d5403b00353ab117c247
vdsm-python-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 60cc8145d2375c937d132cadf7513695f4ccfc07043a911fb41ddba7690cd41e
vdsm-yajsonrpc-4.50.3.6-1.el8ev.noarch.rpm
SHA-256: 37c347b87f27d79857ad50f42c4f293d9a7efb475259de20a7a10196ac875433
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-5396-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Issues addressed include a denial of service vulnerability.
A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.
An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-30129: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 * CVE-2022-3171: A parsing issue with binary data in protobuf-java core and...
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections. * CVE-2022-38749: A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remot...
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-26291: A flaw was found in maven. Repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that r...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29047: A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline be...
Red Hat Security Advisory 2023-1045-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.
Red Hat Security Advisory 2023-1044-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.
A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...
A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jque...
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...
Red Hat Security Advisory 2023-0778-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.56.
Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enou...
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE). * CVE-2022-41881: A flaw was found in codec-haproxy from the Netty project....
Red Hat Security Advisory 2023-0713-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Issues addressed include denial of service and deserialization vulnerabilities.
Red Hat Security Advisory 2023-0560-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include bypass, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.
Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7692: PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the ...
Red Hat Security Advisory 2023-0553-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0552-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0554-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0556-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2015-9251: jquery: Cross-site scripting via cross-domain ajax requests * CVE-2016-10735: bootstrap: XSS in the data-target attribute * CVE-2017-18214: nodejs-moment: Regular expression denial of service * CVE-2018-14040: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute * CVE-2018-14041: bootstrap: Cross-site Scripting (...
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Red Hat Security Advisory 2022-8957-01 - This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include a deserialization vulnerability.
An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4116: quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE * CVE-2022-4147: quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus * CVE-2022-45047: mina-sshd: Java unsafe deserialization vulnerability
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.