Headline
RHSA-2023:3771: Red Hat Security Advisory: Red Hat Virtualization security and bug fix update
An update is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, and Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-20860: A flaw was found in Spring Framework. In this issue, a security bypass is possible due to the behavior of the wildcard pattern.
- CVE-2023-20861: A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).
Synopsis
Important: Red Hat Virtualization security and bug fix update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, and Red Hat Virtualization Engine 4.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The VDSM service is required by a Virtualization Manager to manage the Linux hosts. VDSM manages and monitors the host’s storage, memory and networks as well as virtual machine creation, other host administration tasks, statistics gathering, and log collection.
The following packages have been upgraded to a later upstream version: ovirt-dependencies (4.5.3), ovirt-engine (4.5.3.8), vdsm (4.50.3.8). (BZ#2180717)
Security Fix(es):
- springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
- springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Previously, a host with Secure Intel Icelake Server Family could become non-operational because it did not provide the “taa-no” CPU feature.
In this release, the check has been fixed in the Manager, and such hosts work properly. (BZ#2184623)
- Previously, when creating bonds on a host outside the Manager and adding the host without starting it, the Rx\Tx drop count is shown as null.
As a result, a Null Pointer Exception is thrown in the Administration Portal > Compute > Hosts > Network Interfaces tab.
With this release, null values are accepted, and there are no exceptions displayed in the Network Interfaces tab. (BZ#2180230)
- Previously, the Volume Extend Logic method skipped sparse volumes. As a result, RAW sparse volumes (on file storage) were not extended properly.
In this release, RAW sparse volumes are extended as expected. (BZ#2210036)
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/2974891
Affected Products
- Red Hat Virtualization Manager 4.4 x86_64
- Red Hat Virtualization 4 for RHEL 8 x86_64
- Red Hat Virtualization Host 4 for RHEL 8 x86_64
- Red Hat Virtualization for IBM Power LE 4 for RHEL 8 ppc64le
Fixes
- BZ - 2180230 - Network Interfaces is broken if tx_drop or rx_drop are empty in the DB
- BZ - 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
- BZ - 2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
- BZ - 2184623 - [RHV] Host Non-Operation after update Cluster CPU to Secure Intel Icelake Server. Missing CPU feature: taa-no
- BZ - 2203132 - NullPointerException when creating a image transfer after a RHV-M reboot
- BZ - 2210036 - Extend of the raw sparse disk (thin provisioned without incremental backup) is ignored
Red Hat Virtualization Manager 4.4
SRPM
ovirt-dependencies-4.5.3-1.el8ev.src.rpm
SHA-256: de6ce6f4c5366c5578f9a6a590dea9451b905797bdfbff3649e3138f5d7c28c6
ovirt-engine-4.5.3.8-2.el8ev.src.rpm
SHA-256: d1d896ea51d06e2cec96664d7db8abe2204ec988cd7d97c274867d5ab96379e6
x86_64
ovirt-dependencies-4.5.3-1.el8ev.noarch.rpm
SHA-256: 2c938e937cea40e4d651e1b50903102a09b849aac07a7ba6de7484bb8cef936d
ovirt-engine-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: c3ff60cff4ff13c94807cf394aad84681c9d4c2c4059077a4fb72a7eb3b524d8
ovirt-engine-backend-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: f043e3d484d84557c779fe4d07d05e79d91df9f72c83db0d73ce196aa6335713
ovirt-engine-dbscripts-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 779ffcd29d1a40c6da3a79ba529d8a93a217b1b1d702b1fd2b8843fca73a696c
ovirt-engine-health-check-bundler-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: fb547f8e0b923fe456dfa934a327bb04f2a2122f1ddb812279cd60598c9105e4
ovirt-engine-restapi-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: f2569a83d8f7bba7325a1cf041affc5ccf84bd503c440c96e3a50f940b7106df
ovirt-engine-setup-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: b76362615a5953aab0c7f919c1fbfa1172ad48e9a8a6ca5c3dd5eb86884ff881
ovirt-engine-setup-base-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: bbff9638a8dbeb4ee8188ffeee6af23c8568bd3a5b0d19a2c868039b742e5e7f
ovirt-engine-setup-plugin-cinderlib-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 83e5f9547bb936b12a35986eea4f1bede9ad6ceea99ff1b6b7a9520c3499ec53
ovirt-engine-setup-plugin-imageio-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 32c3267f61dc1e0dee400a877cbb1f7b68d4a5f1c994e9a605906e945fb5b2eb
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: f2760bc2e09ad10ddd5d81f9951481062bd3d8394cfc5a3604592130c9759f52
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 7e4f398273c2c52ea147ad4407d2757b5bbc55326156a922a8216f51f5b571b5
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 4d1391abc4680f90f2e7aaf7ec402356bc28e953728c5c9c55810e9504a413ba
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 26e6243e5394e98a4708a54470165a24fa888d6a9c9c343e165b147fe6186ddc
ovirt-engine-tools-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: a263f30a8bfbc4a54e50dfd8357cf69db2612c10b23333b0f72616a8f9ace5f6
ovirt-engine-tools-backup-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 1f717d9a95bd03d3c9ba67efeca0aa6cfe70989304efd49e726a936796683d25
ovirt-engine-vmconsole-proxy-helper-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 24a202db6df3153dccf13bf4aed8db745bd46185bc7d947cbd9b9fa7f6008cde
ovirt-engine-webadmin-portal-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: fb23c9c936086181cff8028215f621e406c2175d767210a5062d529238145dd2
ovirt-engine-websocket-proxy-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 74a9f51efe76da9b4bf00649aad66f1791b1c7fe79d8295784dc7e35a8ede741
python3-ovirt-engine-lib-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 3764bad571a132c478dc60c26f353069fc977e679564d20cd16309a26936dbbb
rhvm-4.5.3.8-2.el8ev.noarch.rpm
SHA-256: 6e2a44a7bb582db16166e2ed4dcd12a0a8c474e04181f0512e796556a1ad0fb9
Red Hat Virtualization 4 for RHEL 8
SRPM
vdsm-4.50.3.8-1.el8ev.src.rpm
SHA-256: 61a6922e97899d1755aa013deb0751ad1dafb56a853f0ca3c0dd94f179155ae8
x86_64
vdsm-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: 46fccf4228e436828fcb5b6e1fb17eb150f8adbacc6800be6be1e30f4f475cb3
vdsm-api-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 93dba1bfa923f674e85ce23bd0e6fb08cd554ea16f2349d6dcb03614c27c7267
vdsm-client-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d25b75ca303da1a39b733fd77ee029f637ebf6179b62be6bd7ca80f329d855a3
vdsm-common-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 9267becca065bddfdd0c967e3e51720926b8ca4e7936fa0fd244aa5a5e535138
vdsm-gluster-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: b9c0c76f4932404261e2945ae0c0250fdefa63e4cc52be76a826c1aeed901c46
vdsm-hook-checkips-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: 655b3b9b67de087bccf3b232d261d15a31f40219e78c5560c837a2f82f09c2c8
vdsm-hook-cpuflags-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 016a9f4ce3048b407bc6fbe8cad8a52e779422bbad73c4e5ab64d5795f413ce2
vdsm-hook-ethtool-options-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d122546b22fe605b72292d9882ec581ab4f921ee3644c2f24c184c98466bd320
vdsm-hook-extra-ipv4-addrs-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: 7142dcf749c4ec07c8a6093632b81d66276ea525bf712a63a46e1583b4da6f54
vdsm-hook-fcoe-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d75004d0e2a0701a8c7d43d6c4c6523a5a5d2aed24443a8dc6c06a3d5ab38ea4
vdsm-hook-localdisk-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 91057b64b7b749e82a3aee56adb42d734dbbbaa3f001ab3086527d66368fea06
vdsm-hook-nestedvt-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 87546162abe7c1f213637e32a9159ba4e581d8acb90f5795b0ed9f5033a8437f
vdsm-hook-openstacknet-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: ca8fe4882e0e81aa8618710a2ccf2b6fe8689665f5e50615504873368800b146
vdsm-hook-vhostmd-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 53fa7db0ce441b5d9209d548ac37b31a7158fe1644873460698cd3cbb528b5f1
vdsm-http-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: b85281cbaa815a6c330023c4a0b4e1d6ea3e3c5992d6a400ae7ef952ea1c2bba
vdsm-jsonrpc-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: fec58b1645c9a4884e2d13be00f45097afab8f17ffad40455eec0142562b3f8e
vdsm-network-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: 8b16527fd97b344655f22b1abed4c56697a905103bbba9d37d6f80ae38090f26
vdsm-python-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 0794d12643c7ed746f7f51870104394e4fcfa2ddb5d0019fe881822194001102
vdsm-yajsonrpc-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 9c86d1ed5b483190a5a5ec5d1413d5d24929f52c359f95400a444f61c0910b87
Red Hat Virtualization Host 4 for RHEL 8
SRPM
vdsm-4.50.3.8-1.el8ev.src.rpm
SHA-256: 61a6922e97899d1755aa013deb0751ad1dafb56a853f0ca3c0dd94f179155ae8
x86_64
vdsm-hook-checkips-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: 655b3b9b67de087bccf3b232d261d15a31f40219e78c5560c837a2f82f09c2c8
vdsm-hook-cpuflags-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 016a9f4ce3048b407bc6fbe8cad8a52e779422bbad73c4e5ab64d5795f413ce2
vdsm-hook-ethtool-options-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d122546b22fe605b72292d9882ec581ab4f921ee3644c2f24c184c98466bd320
vdsm-hook-extra-ipv4-addrs-4.50.3.8-1.el8ev.x86_64.rpm
SHA-256: 7142dcf749c4ec07c8a6093632b81d66276ea525bf712a63a46e1583b4da6f54
vdsm-hook-fcoe-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d75004d0e2a0701a8c7d43d6c4c6523a5a5d2aed24443a8dc6c06a3d5ab38ea4
vdsm-hook-localdisk-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 91057b64b7b749e82a3aee56adb42d734dbbbaa3f001ab3086527d66368fea06
vdsm-hook-nestedvt-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 87546162abe7c1f213637e32a9159ba4e581d8acb90f5795b0ed9f5033a8437f
vdsm-hook-openstacknet-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: ca8fe4882e0e81aa8618710a2ccf2b6fe8689665f5e50615504873368800b146
vdsm-hook-vhostmd-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 53fa7db0ce441b5d9209d548ac37b31a7158fe1644873460698cd3cbb528b5f1
Red Hat Virtualization for IBM Power LE 4 for RHEL 8
SRPM
vdsm-4.50.3.8-1.el8ev.src.rpm
SHA-256: 61a6922e97899d1755aa013deb0751ad1dafb56a853f0ca3c0dd94f179155ae8
ppc64le
vdsm-4.50.3.8-1.el8ev.ppc64le.rpm
SHA-256: 29024f5bd050a7a0035b5ab6e0e0b233d8ededf41ef0d346803572967117f778
vdsm-api-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 93dba1bfa923f674e85ce23bd0e6fb08cd554ea16f2349d6dcb03614c27c7267
vdsm-client-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d25b75ca303da1a39b733fd77ee029f637ebf6179b62be6bd7ca80f329d855a3
vdsm-common-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 9267becca065bddfdd0c967e3e51720926b8ca4e7936fa0fd244aa5a5e535138
vdsm-hook-checkips-4.50.3.8-1.el8ev.ppc64le.rpm
SHA-256: f7527fe20194479ece48cecfebf92702839dfb7a9f274404a6f9b03d13174801
vdsm-hook-cpuflags-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 016a9f4ce3048b407bc6fbe8cad8a52e779422bbad73c4e5ab64d5795f413ce2
vdsm-hook-ethtool-options-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d122546b22fe605b72292d9882ec581ab4f921ee3644c2f24c184c98466bd320
vdsm-hook-extra-ipv4-addrs-4.50.3.8-1.el8ev.ppc64le.rpm
SHA-256: 56c330a4a9a6dc479cb2b5879a343148eda0af8f75af9e1d0be12701d8586aee
vdsm-hook-fcoe-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: d75004d0e2a0701a8c7d43d6c4c6523a5a5d2aed24443a8dc6c06a3d5ab38ea4
vdsm-hook-localdisk-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 91057b64b7b749e82a3aee56adb42d734dbbbaa3f001ab3086527d66368fea06
vdsm-hook-nestedvt-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 87546162abe7c1f213637e32a9159ba4e581d8acb90f5795b0ed9f5033a8437f
vdsm-hook-openstacknet-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: ca8fe4882e0e81aa8618710a2ccf2b6fe8689665f5e50615504873368800b146
vdsm-hook-vhostmd-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 53fa7db0ce441b5d9209d548ac37b31a7158fe1644873460698cd3cbb528b5f1
vdsm-http-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: b85281cbaa815a6c330023c4a0b4e1d6ea3e3c5992d6a400ae7ef952ea1c2bba
vdsm-jsonrpc-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: fec58b1645c9a4884e2d13be00f45097afab8f17ffad40455eec0142562b3f8e
vdsm-network-4.50.3.8-1.el8ev.ppc64le.rpm
SHA-256: cf2ed23b2c4f99d781ca32581ed4a64a239ec3f381388418151443755d6146f2
vdsm-python-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 0794d12643c7ed746f7f51870104394e4fcfa2ddb5d0019fe881822194001102
vdsm-yajsonrpc-4.50.3.8-1.el8ev.noarch.rpm
SHA-256: 9c86d1ed5b483190a5a5ec5d1413d5d24929f52c359f95400a444f61c0910b87
Related news
Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-30129: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 * CVE-2022-3171: A parsing issue with binary data in protobuf-java core and...
Red Hat Security Advisory 2023-4612-01 - Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.7.13 serves as a replacement for Red Hat support for Spring Boot 2.7.12, and includes security, bug fixes and enhancements. For more information, see the release notes linked in the References section. Issues addressed include bypass, code execution, denial of service, and deserialization vulnerabilities.
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malici...
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
Red Hat Security Advisory 2023-3954-01 - This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, code execution, denial of service, information leakage, resource exhaustion, server-side request forgery, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...
Red Hat Security Advisory 2023-3625-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.62. Issues addressed include bypass, cross site request forgery, cross site scripting, and denial of service vulnerabilities.
Red Hat OpenShift Container Platform release 4.10.62 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41966: A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow. * CVE-2023-20860: A flaw was found in Spring Framework. In this issue, a security bypass is possibl...
Red Hat Security Advisory 2023-3771-01 - The VDSM service is required by a Virtualization Manager to manage the Linux hosts. VDSM manages and monitors the host's storage, memory and networks as well as virtual machine creation, other host administration tasks, statistics gathering, and log collection. Issues addressed include bypass, denial of service, and null pointer vulnerabilities.
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2048: A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests. * CVE-2022-22976: A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum wo...
Red Hat Security Advisory 2023-3622-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, denial of service, information leakage, insecure permissions, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2023-3622-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, denial of service, information leakage, insecure permissions, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2023-3610-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29599: A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack. * CVE-2022-30953: A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an...
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29599: A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack. * CVE-2022-30953: A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an...
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-29599: A flaw was found in the maven-shared-utils package. This issue allows a Command...
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-29599: A flaw was found in the maven-shared-utils package. This issue allows a Command...
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
Red Hat AMQ Broker 7.10.3 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wil...
Red Hat AMQ Broker 7.10.3 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wil...
Red Hat Security Advisory 2023-2100-01 - This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass, code execution, cross site scripting, denial of service, man-in-the-middle, memory exhaustion, resource exhaustion, and traversal vulnerabilities.
Red Hat Security Advisory 2023-2100-01 - This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass, code execution, cross site scripting, denial of service, man-in-the-middle, memory exhaustion, resource exhaustion, and traversal vulnerabilities.
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37533: A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about service...
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37533: A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about service...
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.