Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4341: Red Hat Security Advisory: Logging Subsystem 5.7.4 - Red Hat OpenShift bug fix and security update

Logging Subsystem 5.7.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the ‘new Range’ function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service.
  • CVE-2023-22796: A flaw was found in rubygem-activesupport. RubyGem’s activesupport gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in Inflector.underscore. By sending a specially-crafted regex input, a remote attacker can use large amounts of CPU and memory, resulting in a denial of service.
Red Hat Security Data
#vulnerability#web#google#linux#red_hat#dos#nodejs#js#kubernetes#aws#ibm#ruby#ssl

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-08-02

Updated:

2023-08-02

RHSA-2023:4341 - Security Advisory

  • Overview
  • Updated Images

Synopsis

Moderate: Logging Subsystem 5.7.4 - Red Hat OpenShift bug fix and security update

Type/Severity

Security Advisory: Moderate

Topic

Logging Subsystem 5.7.4 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Logging Subsystem 5.7.4 - Red Hat OpenShift

Security Fix(es):

  • nodejs-semver: Regular expression denial of service (CVE-2022-25883)
  • rubygem-activesupport: Regular Expression Denial of Service (CVE-2023-22796)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Logging Subsystem for Red Hat OpenShift for ARM 64 5 for RHEL 8 aarch64
  • Logging Subsystem for Red Hat OpenShift 5 for RHEL 8 x86_64
  • Logging Subsystem for Red Hat OpenShift for IBM Power, little endian 5 for RHEL 8 ppc64le
  • Logging Subsystem for Red Hat OpenShift for IBM Z and LinuxONE 5 for RHEL 8 s390x

Fixes

  • BZ - 2164736 - CVE-2023-22796 rubygem-activesupport: Regular Expression Denial of Service
  • BZ - 2216475 - CVE-2022-25883 nodejs-semver: Regular expression denial of service
  • LOG-2701 - [Vector] [Cloudwatch] namespaceUUID is not added to logGroupName when forwarding logs to Cloudwatch.
  • LOG-3880 - Deprecated `curation` and `forwarder` are displayed in the console when creating clusterlogging via `Form view`.
  • LOG-4015 - [Vector][Loki] vector_component_sent_bytes_total metric for Loki sink not exposed by vector.
  • LOG-4073 - Invalid link to doc from installed operator in OpenShift Web Console
  • LOG-4237 - Regression with Red Hat OpenShift Logging 5.7.2
  • LOG-4242 - Vector pods raise `Configuration error` when forwarding to cloudwatch/googlecloudlogging with tlsSecurityProfile configured.
  • LOG-4275 - [release-5.7] Vector pods going into a panic state
  • LOG-4302 - CLO raises error message “URL not secure: , but output gcp-logging has TLS configuration parameters” if add tls.securityProfile to CLF when forwarding to googlecloudlogging/cloudwatch.
  • LOG-4361 - [release-5.7] Setting custom options on the application tenant removes user-alertmanager configuration
  • LOG-4368 - [release-5.7] sts cloudwatch issues after upgrading from 5.5
  • LOG-4389 - [release-5.7] Query Label Values from Loki return duplicate values.

aarch64

openshift-logging/cluster-logging-rhel8-operator@sha256:e0c2fee54eac82bb2db9458c66f5989d1ece106028facc0bf7630cdb10ce22d9

openshift-logging/elasticsearch-proxy-rhel8@sha256:8ff461c5c4c305e1ae2991bc5df6dbf98a51b0ecc4bace6706f574beea7f64dd

openshift-logging/elasticsearch-rhel8-operator@sha256:bd46b16c0677fab4a383572c274edebbc69c571045ad449d3b5d421405f5672d

openshift-logging/elasticsearch6-rhel8@sha256:7af0fa05193b2f75a270c16355bcce6d2117183d59f5ed4d040d5a8e7d40e610

openshift-logging/eventrouter-rhel8@sha256:34ce66194dfa6a7a20185095f0766ad57fc61225c080b67e558a81a81f815724

openshift-logging/fluentd-rhel8@sha256:337ee7e9da6cc5eeb19f5f2d626c264f02e4d928fc0966943da66e1feb3d9a7a

openshift-logging/kibana6-rhel8@sha256:84fb35d90e834c43f5159b21140c8b94c21ea9124449425596799f80c7cd8020

openshift-logging/log-file-metric-exporter-rhel8@sha256:acb05b891cba1721d3eed20ecfa3b5d19a814b7759d718393c4df5d82f50c6ec

openshift-logging/logging-curator5-rhel8@sha256:51f0afaea8d8596a8fd538decc0b5ece7a05be30a9fb50f4a4a8b5e5d1c2a6fb

openshift-logging/logging-loki-rhel8@sha256:d39a1cbbdc527136f4019717320fc2bf5de546e8f1155127b116c55cf066a61e

openshift-logging/logging-view-plugin-rhel8@sha256:caaf5d6ce2c02b38ede741333d43b8e316a10dd18c2501bfd4cc404bd8029372

openshift-logging/loki-rhel8-operator@sha256:84bd7d93f70ada3fcc298e943d1f0cd96373c77f3da2f626a26b15121f5ee3c9

openshift-logging/lokistack-gateway-rhel8@sha256:21d62198b0452caf49ec5563682897d1e4c5e03e9e1404ce9d9cf72a7de34ba4

openshift-logging/opa-openshift-rhel8@sha256:9893a02da55a768baa6e70cd79dacc5cfb41a8b0624f9c5722a8f5faf842627a

openshift-logging/vector-rhel8@sha256:d6ad099e497eaad1d8dc0f2d160e1869df48c39c3f38ff4e9254799249bc96ab

ppc64le

openshift-logging/cluster-logging-rhel8-operator@sha256:67ef8c821c9b3bca057ea7199aef6e911cd7f7f999ddc2fdf82c8075794b0aa3

openshift-logging/elasticsearch-proxy-rhel8@sha256:d4baa438f24a85b8be45f0bd121d738af1503ebf18e2c54d655acb6cad9e50cc

openshift-logging/elasticsearch-rhel8-operator@sha256:c2571e820b058d0b2baaa952a3c841646e777d7735561b1a43e1024ce606ff9a

openshift-logging/elasticsearch6-rhel8@sha256:4fdca7719007c06b5b749a4c89f80f6c9056150f9e60e00933c2c0ee1b7b6441

openshift-logging/eventrouter-rhel8@sha256:3df6df351b2f6da84340867d2895db147313931f8d82479b8872da64bec6666a

openshift-logging/fluentd-rhel8@sha256:9a6c4ab015df408ff848234705bf0fbff5332e85279485d2b758f23156a9c572

openshift-logging/kibana6-rhel8@sha256:7123433d58b6579455cc263f19c85b63ea951d89f66e2b733bac98a9b7ceac4b

openshift-logging/log-file-metric-exporter-rhel8@sha256:c808aad73043d9cd7392bdaf6d15dd1a078296df5696bbfa597c811025f61201

openshift-logging/logging-curator5-rhel8@sha256:955a2a4cdc1f1a350c4559a7d3ea755b4345477aac73f1b3768247845af277bb

openshift-logging/logging-loki-rhel8@sha256:f9d15f9109b22d56825f56ec5c037e3f8af6119c022a43c4cfb0fa54bd297679

openshift-logging/logging-view-plugin-rhel8@sha256:5add092b1f4fea3a2e872f41b537635cbc23d874fb2fd9d8991928ec1fbfa3f5

openshift-logging/loki-rhel8-operator@sha256:3167db2da135849cdf568ddad218197d71c807fa8526179fff339016afe6f87e

openshift-logging/lokistack-gateway-rhel8@sha256:375048d10fb7192713ca038f43d57e0b34010f7c5707344de7c0abe9b3e59616

openshift-logging/opa-openshift-rhel8@sha256:7e2bd1808123b522d0542aeb738c57c005f079aebe23ea6f4065ff2d3ae731d7

openshift-logging/vector-rhel8@sha256:dcd90c4fb7fa7dcaed3a27b1e80d7215bab65cde107d58fd8cd54957323f9ea7

s390x

openshift-logging/cluster-logging-rhel8-operator@sha256:49c4aebcd64396039f8e6d6cce6c55a92d6bbf6108ddf72bdc53606e26ac2b4a

openshift-logging/elasticsearch-proxy-rhel8@sha256:bb1a983e04d731a4e580cc0eff4216951ddc8a9eb27ed14b1960f2b434f3cd2e

openshift-logging/elasticsearch-rhel8-operator@sha256:5575edf75617e0bd07aa97490cffd26f076aa0bcd82c3274538ab45d51e00225

openshift-logging/elasticsearch6-rhel8@sha256:df161e83a11d953b4867faad7079fed1eead2e8fc727902b7ff9671f8d4b1c5d

openshift-logging/eventrouter-rhel8@sha256:0f91fc53a5053e39de0fe264281a56a179a2b78718cfadec1e1b29506630ab70

openshift-logging/fluentd-rhel8@sha256:b6c6af01832e14bbfa3077448ee626daae770e1366efdc0f0784498f4d30e6b1

openshift-logging/kibana6-rhel8@sha256:d2555e8057588a34b60584b95514be1d85de61e9efa5bf3886182eb913c48a5f

openshift-logging/log-file-metric-exporter-rhel8@sha256:91d8fa588ddc7e633dd526aaa883e4a28a4cb9ac4a9ae69984c976f284779931

openshift-logging/logging-curator5-rhel8@sha256:832579acb9582f50578a47750fe74b6e872422239aba5277173c6a0bdef51a04

openshift-logging/logging-loki-rhel8@sha256:2cd86e00137e4fa3ac2857c9f71766c43f514265e583f2efb34afda01f4f148c

openshift-logging/logging-view-plugin-rhel8@sha256:231a9410313b59e0a489a998fd85c92a8c538c461d2a2efaa6a5bf33c36a1aef

openshift-logging/loki-rhel8-operator@sha256:2b0f8aff7372bb80de5dee22455041afc6514238088adeb643ee3890d6ec0a4d

openshift-logging/lokistack-gateway-rhel8@sha256:723e07a7914053df8edabda59d00662f51b41b1f6d3138773100d4a7c2dfd43c

openshift-logging/opa-openshift-rhel8@sha256:56ed37d86ce09040ca99dcd7323725266ac8f125645784185c7efdfdec70385e

openshift-logging/vector-rhel8@sha256:3b9c8eee3ff2d4368517b1934097a612bd56a69ab98809cfa951400314f3acc0

x86_64

openshift-logging/cluster-logging-operator-bundle@sha256:e56a09fc05288a5a2ef9eb4ed9536b517e5a19b6317be07ac9caeed7cdabc2c3

openshift-logging/cluster-logging-rhel8-operator@sha256:c65f10b5e11fd2310b21c4acbd56d1fed311e0dd69f7c33d6b2fa0e83bf2d64f

openshift-logging/elasticsearch-operator-bundle@sha256:907c78f7ca1b56bb2ddc79b5b5555c39fd061190aebe72862bbd672c94b248b0

openshift-logging/elasticsearch-proxy-rhel8@sha256:cf018227104330f7930731e0807ae6e4e877890bb3ab9e6d726a6765c9609a06

openshift-logging/elasticsearch-rhel8-operator@sha256:44ba718456214efb36904719c4843c82449ccb18696925c7571324b4eb4a1c4c

openshift-logging/elasticsearch6-rhel8@sha256:f2d5044bc2af0ec3e78732ae8785d217e80ff18332fca0629ca06c7d481a0d9a

openshift-logging/eventrouter-rhel8@sha256:f28aecb4013c43132d6261fd6817a65c2237dd8b5d9177999277ede0a228c79a

openshift-logging/fluentd-rhel8@sha256:1683bf2947833563d426e07b078e14984ea9c4f2a6da2931979eba3277f6aa2a

openshift-logging/kibana6-rhel8@sha256:403c0dd709adab3bc11330a6939e587dea1739cd5670965467f4760530f8df48

openshift-logging/log-file-metric-exporter-rhel8@sha256:5bb8f176d903c84ed9d07d21d80a5640c15d7e34d0aff8635f62db039602c64f

openshift-logging/logging-curator5-rhel8@sha256:a5b0a709ba5f19c2e99114b4cd91f96848f503cca54b9cbdf44d4f592d27bc21

openshift-logging/logging-loki-rhel8@sha256:0375fb8d4343d67fff498cc1d70ea60a2f3bdec1b02462916a252c1d096232f6

openshift-logging/logging-view-plugin-rhel8@sha256:f54b96b6d08566acdc6d4babbcdc539a8709246aafac1ebdea67100a7f3bd52f

openshift-logging/loki-operator-bundle@sha256:c8c3190680b643c4825b186270d4acfa0cc6ae86f90842dc23b6bad6766f8367

openshift-logging/loki-rhel8-operator@sha256:31b811aeb70106ae65bcba0f36554d536ec5152cd61e65ac6eb452ce669bb595

openshift-logging/lokistack-gateway-rhel8@sha256:115fb8f4748722861fc80fe75e56f46d19ff2aa923ab9b03d6b16942750fff45

openshift-logging/opa-openshift-rhel8@sha256:5468b32eb88305a16f127ebe3ffd8b3f71f70f3fcb709a71d99f2ff793624aae

openshift-logging/vector-rhel8@sha256:7b729eacf413158e143ab4683a54ef7a33380ce9917fa3289df93f2288d6a6d2

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2024-0719-03

Red Hat Security Advisory 2024-0719-03 - Migration Toolkit for Runtimes 1.2.4 release. Issues addressed include a denial of service vulnerability.

CVE-2021-39008: Security Bulletin: IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities

IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a privileged user to obtain sensitive information due to missing best practices. IBM X-Force ID: 213551.

Red Hat Security Advisory 2023-5486-01

Red Hat Security Advisory 2023-5486-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

Red Hat Security Advisory 2023-5485-01

Red Hat Security Advisory 2023-5485-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

Red Hat Security Advisory 2023-5488-01

Red Hat Security Advisory 2023-5488-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.13 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.12 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.13 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include denial of service and deserialization vulnerabilities.

RHSA-2023:5488: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.13 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of servi...

Red Hat Security Advisory 2023-5379-01

Red Hat Security Advisory 2023-5379-01 - Network Observability 1.4.0. Issues addressed include a denial of service vulnerability.

RHSA-2023:5379: Red Hat Security Advisory: Network Observability 1.4.0 for OpenShift

Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulne...

Red Hat Security Advisory 2023-5362-01

Red Hat Security Advisory 2023-5362-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5361-01

Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5360-01

Red Hat Security Advisory 2023-5360-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5363-01

Red Hat Security Advisory 2023-5363-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include bypass and denial of service vulnerabilities.

RHSA-2023:5362: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5360: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting in a denial of service. * ...

RHSA-2023:5361: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting ...

Red Hat Security Advisory 2023-4341-01

Red Hat Security Advisory 2023-4341-01 - Red Hat OpenShift bug fix and security update. Red Hat Product Security has rated this update as having a security impact of Low. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-4341-01

Red Hat Security Advisory 2023-4341-01 - Red Hat OpenShift bug fix and security update. Red Hat Product Security has rated this update as having a security impact of Low. Issues addressed include a denial of service vulnerability.

GHSA-c2qf-rxjj-qqgw: semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

CVE-2022-25883: fix: better handling of whitespace (#564) · npm/node-semver@717534e

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Debian Security Advisory 5372-1

Debian Linux Security Advisory 5372-1 - Multiple vulnerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could result in XSS, data disclosure and open redirect.

CVE-2023-22796: [CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support's underscore

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

GHSA-j6gc-792m-qgm2: ReDoS based DoS vulnerability in Active Support’s underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796. Versions Affected: All Not affected: None Fixed Versions: 6.1.7.1, 7.0.4.1 Impact A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases The FIXED releases are available at the normal locations. Workarounds There are no feasible workarounds for this issue. Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout. Patches To aid users who aren’t able to upgrade immedi...