Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 20 and Jan. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 20 to January 27

Red Hat Security Advisory 2023-0483-01 - This asynchronous update patches Red Hat Fuse 7.11.1 on Karaf and Red Hat Fuse 7.11.1 on Spring Boot and several includes security fixes, which are documented in the Release Notes document linked to in the References. Issues addressed include a server-side request forgery vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Fuse 7.11.1.P1 security update  
Advisory ID:       RHSA-2023:0483-01  
Product:           Red Hat JBoss Fuse  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0483  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-36437 CVE-2022-46363 CVE-2022-46364   
=====================================================================

1. Summary:

A security update for Fuse 7.11.1 is now available for Red Hat Fuse on  
Karaf and Red Hat Fuse on Spring Boot. The purpose of this text-only errata  
is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This asynchronous update (7.11.1.P1) patches Red Hat Fuse 7.11.1 on Karaf  
and Red Hat Fuse 7.11.1 on Spring Boot and several includes security fixes,  
which are documented in the Release Notes document linked to in the  
References.

Security Fix(es):

* hazelcast: Hazelcast connection caching (CVE-2022-36437)

* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

Installation instructions are available from the Fuse 7.11 product  
documentation page:  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

4. Bugs fixed (https://bugzilla.redhat.com/):

2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration  
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability  
2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching

5. References:

https://access.redhat.com/security/cve/CVE-2022-36437  
https://access.redhat.com/security/cve/CVE-2022-46363  
https://access.redhat.com/security/cve/CVE-2022-46364  
https://access.redhat.com/security/updates/classification/#critical  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=7.11.1

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9NUUdzjgjWX9erEAQgflg//awE0J5TPmBlTtU9P84haZl/OhLThGGKk  
CBivdEesNfdN27oINbhqF7oDiINhrhvpDGoyKZT9ir+UyIN/wG3jZZO/MS39QQwW  
XCMgQlsf7PaAW7m66bAwujTlVMDaFkt6GYO97DDuF+oj2bYWuNIXnL4CzEgHO7qs  
opO+GA57f78vm4cDJQ31yFySKvE0cJ/ZXIGs40/lHx7aqqYRxWIC0Lx29Njglt+X  
+F9eoln7Di4wNCBq2AgBt6UUWj1t+2tyUW1AOQHV3u446MUmdlldEXxjT35MnnT7  
e9Xp/YB8pXNX0PEQY5Lh7l76xZlgQBWHvWWT65YL1gapG5ibk/Fi8j86jszGmEp7  
VaQr2ap4hpuA7j4mHZXzI4e/g8yVUtzlRM7uzmzaeKlNjVQvra4q+WMQTrwriyV7  
qwrct1feJGeOztKVDBc7/OplpgKpuUXcQam5HiNhHHuSQFhHyHvW97wuCnhcUlfG  
e9xKzxyYcDcs8JMmOAv8xgrzN+xHbku8gQYyr4mVHoFZd2L1qMOP8Ydx4Clc/fN/  
lHHCCzuVNX+Z36nKIKU1fr4B55tEV3M/9u+hKx8sbslo4f9p+pMwatKKScwefmTr  
XXj3lMl5lLq9+RueCfA2MLxSGZgL7ECHFyjSv5lv61uDyrnTLPg4ZiQWiQSkqN08  
8/GRm6NdUPs=  
=YYEP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0483-01

Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5329-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : bind9CVE ID         : CVE-2022-3094 CVE-2022-3736 CVE-2022-3924Several vulnerabilities were discovered in BIND, a DNS serverimplementation, which may result in denial of service against named.For the stable distribution (bullseye), these problems have been fixed inversion 1:9.16.37-1~deb11u1.We recommend that you upgrade your bind9 packages.For the detailed security status of bind9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/bind9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxg4ACgkQEMKTtsN8TjaEyw//bjGBSD6QFX5xfkXzm4fHKEBnl3/yg0z+p6ml3xGQQJaBzwljn4J2McGxxtCsgOVTyyvy/uocUsK4X1LZk8kGfbbiGN+63o2PoADX76bPhbv69CiRxd1NRnprSMLsJyBHaiB8TFPFBnPz//Q7KY9KvhzUbv/g4ocIYmlrxUZiZmmyJB8kJ3lzFJIBzThlcmnCLHjs4IDF516BJMywxYnsnSRc0G73jB1zlcmBB0loYpD3U434C+pUCMKkrpYPeBFZHGikpYs7x+lJ95WmggYtoNjz0iPwpK1hd2vvM1rxr93jARKMTlKh5OMtljIK67NQeKfyojd4Uva49SAVYuo38MCLO2H4NEPPoEh+OGUJBgCagvwgye+GPOM+c++Ii9LNqNdwEThG2WVVP4f/Hore27l4lswGICLk9662lSJsAnZtdTQUSvFbeI8k8ne/2bvYrkZbCWDv8gPhLlCa6c80zag+ZzhOAvghBfj7AbRch/7feqe+RYAJ4qPuHmEokpxGL9gboa/4y3YJeCSKv13xXbz13FJyPMpsfiLVCp6ajhE1iVL3Trkr4rUGGmQVXClsBrDibeIu5YQvqnBtTZckrt8WoKo7GedrZxu/vrAqtwQVsL+7UrNUQbZLcTTLwZRc/RRegsHBqptYu/+joV+8ndQ9G2wX/35ss8hd+uQ2wvE==/JXy-----END PGP SIGNATURE-----

Debian Security Advisory 5329-1

Red Hat Security Advisory 2023-0481-01 - Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. This advisory contains bug fixes and enhancements to the Submariner container images.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Submariner 0.12.3 - security update and bug fix  
Advisory ID:       RHSA-2023:0481-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0481  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-32149   
=====================================================================

1. Summary:

Submariner 0.12.3 packages that fix various bugs and add various  
enhancements that are now available for Red Hat Advanced Cluster Management  
for Kubernetes version 2.5.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Submariner enables direct networking between pods and services on different  
Kubernetes clusters that are either on-premises or in the cloud.

For more information about Submariner, see the Submariner open source  
community website at: https://submariner.io/.

This advisory contains bug fixes and enhancements to the Submariner  
container images.

Major bug addressed: 

ACM-2318: Submariner gateway node: Error updating load balancer with new  
hosts map

Security fix:

* CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage  
takes a long time to parse complex tags

3. Solution:

For details on how to install Submariner, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/add-ons/add-ons-overview#submariner-deploy-console

and

https://submariner.io/getting-started/

4. Bugs fixed (https://bugzilla.redhat.com/):

2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

5. JIRA issues fixed (https://issues.jboss.org/):

ACM-2318 - Submariner gateway node: Error updating load balancer with new hosts map

6. References:

https://access.redhat.com/security/cve/CVE-2022-32149  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L/+tzjgjWX9erEAQiAkBAAgFGVRsLKFwitm8caXqJWJO+vkYy7NHUW  
YUsJ8hSkTIo4JOD29ARdXZXabZnvNWogGZYfOXI+kTKyE1Ojz+PmXfSl5j4/iETo  
OZzxX03BpoetYwWf6Q2V/kT+jTR2+X63G0SNLIWiLrTuqdF0aJ6ZSs5ptPGW8ovq  
fsBtHua2002yBSqQ1SgSQGB/Lj980+A4lC580NbcmbeFYicaUTibr76NTYQXXmWf  
PSCs08wYZ8XaIOdQM5myr/6KOoYAzx3GGMnrRg8t6jJVp0ss4Yf6rMbKUFGrZbT6  
ZKaU6kgOU1hCN8yuHn9OTtt/nibVzowzb0O545a9dZ8/cma5r9gr31pzrB5tty5O  
1ah0pYPfb4YPHnXwSJiGjcmlpfdyhG+xG+9znbLme/Cf+aNE8bkxvZRGMPXQYQps  
94N37bzFtf/Po3LrgM9RtpAHUIylQ5sLBgvhK5aOkdZR/D7Gufp/CbsEzDvNU82a  
kctOka+4GY65ZuT0zNi6XV87RYCGBV18eH81j+8KNHkseNRvHuegRV61BiOAqpom  
DWyp8UyQFksZwFR/u+MpjSgFWSBtABj4KoBBASm5+QKvXS18/9FnWjqLOEts9BXQ  
0S8IR18iEZblEfkDcQPtXNqkq8fSlx9SIJVT8BcYRVVajFZw+7vWlU1Q5WwpmeBZ  
U5Wpzu1l6Ks=  
=VmQk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0481-01

Apple Security Advisory 2023-01-24-1 - tvOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-24-1 tvOS 16.3

tvOS 16.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213601.

AppleMobileFileIntegrity  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

Maps  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

Safari  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Weather  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Additional recognition

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPQS+MACgkQ4RjMIDke  
Nxl2xhAAu5swycPjzTAolynfVnOR8FvGiVeCUFfn2JpEFVXRiIMcZgQga7bb7cEk  
0Abcm9FfLAq4z7SBTXh9csi1erT0bbT2/DK8PhEDsZz9MInzxXUTN9+ZrWlN/PLJ  
ZIQZh1gwUGkf31DAaBQ15QYo6XukzwV++t1AkeY5CQsTEXf/rJhYH7E3kNWsqj+5  
B6vAw0Xw7hLsZwfAv7W2khhLtiBa5sxtuJKRPJ/4xjBKfWZaeVjjgsTC0LLUN/3l  
qxFI8H4QxQPxXtAt2O2wPGnR3WhfmDlGqgnYkj4IM8FlRnGedpD5O/kPoZNzRtKt  
z7pRORoHD+o3KOY3UkRZ19sJEWEkeWJxHO6htRf/IsgbX1/eQJnIqSuOeLRJ3EDY  
xCTUfiTU0NU3Iy/iDgpwllq4oU8rYeFJiPU4RNzndX+Z3+V/Tu9mc3rBax3A8gGi  
bN5dKB0bGNCV2MnOlpuy5E7u56cfMlH04Gtj0j8L05t9yxYKiCuBVNBL0KjJB/cF  
wjAl0ZoK8auWTDFKPJHGRGWtqR0svrV4qw5lPpQc+w26+xh8LHL8HzHr+pxHEZ75  
4CUxi9L7w4hWieZgHNyWUj4xIlqhrefk+M6QqwxwwKSB/z2eiaOBHSCaKDOvg9JU  
6w6VML1ezs/zpC5H0//PXTqK2o8XkaBNKQ0Ljx6zejIVwFbwHVQ=  
=WvwW  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-24-1

Red Hat Security Advisory 2023-0208-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security and bug fix update  
Advisory ID:       RHSA-2023:0208-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0208  
Issue date:        2023-01-26  
CVE Names:         CVE-2023-21830 CVE-2023-21843   
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper restrictions in CORBA deserialization (Serialization,  
8285021) (CVE-2023-21830)

* OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Leak File Descriptors Because of  
ResolverLocalFilesystem#engineResolveURI() (BZ#2139705)

* Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362)  
[rhel-8] (BZ#2159910)

* solr broken due to access denied ("java.io.FilePermission"  
"/etc/pki/java/cacerts" "read") [rhel-8, openjdk-8] (BZ#2163595)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2139705 - Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() [rhel-8.7.0.z]  
2159910 - Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362) [rhel-8] [rhel-8.7.0.z]  
2160475 - CVE-2023-21843 OpenJDK: soundbank URL remote loading (Sound, 8293742)  
2160490 - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021)  
2163595 - solr broken due to access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") [rhel-8, openjdk-8] [rhel-8.7.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b09-2.el8_7.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b09-2.el8_7.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21830  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L/99zjgjWX9erEAQh6/w//RI9EX2stArR4n/6NtrZFHBZEZrqbjRva  
6TJ1TC1lihoGmXbnDPeFJyh6MQx06+bqJsjVM8pYOkJKqNUmEulvWXPoN7ZSKoF4  
EKcuYOTGrKXBK0DQxK20cHnDCQU+ky2DHeIEQkdwR8P54UV47VIidc2dFbVtKgUS  
1vBpE8UZIfHIiLvfdAQ4GJN9i3SRYMT59yqcO8NRXx4y9HRHcWygCwJDBhT1f/iR  
Bhw3wMbdnb7xIxNVFHP4FTg+z6/50sZn2HP7ps+fzDQzCCB8XLKtPIc/ACkoegDg  
9kA5FS76AG68ILfPD15DEi/9qPQEvg3B0XjT9yl2EQimgraJg3CAfYDwdF3duZQd  
GORSP7R/tyCIKXkBccMcyKJ0ekNCuvgjMwmKrRdA41JcVnHqWQRQ75b8D6Lx/J1e  
0ILZlmTQkWWlyGISpV70jbkn+8RwBPDAGwoZa3Hf9CvKsv+XyprN2hztCEy7ZPRn  
Cb0Ccsuok2dmbJ07EQKo9CXNfZ/3ghAOk3fz+FR+lrFAnpzm/35TlVAGmXv4wKNS  
/PrNCaxOTr+SxR6SjLWS51UWMG+p310VBeACL8cjO67yEMboezamKezSrvjtBMPZ  
dhU56pCX1hknTxOQ6GZpUUHAX2Exk1tcuoygeeTufs2Vy5fyDU9bd05VUj+htQH4  
hKYGWAz0KmQ=  
=EqEP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0208-01

Red Hat Security Advisory 2023-0210-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security and bug fix update  
Advisory ID:       RHSA-2023:0210-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0210  
Issue date:        2023-01-26  
CVE Names:         CVE-2023-21830 CVE-2023-21843   
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper restrictions in CORBA deserialization (Serialization,  
8285021) (CVE-2023-21830)

* OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362)  
[rhel-9] (BZ#2159912)

* solr broken due to access denied ("java.io.FilePermission"  
"/etc/pki/java/cacerts" "read") [rhel-9, openjdk-8] (BZ#2163594)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2159912 - Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362) [rhel-9] [rhel-9.1.0.z]  
2160475 - CVE-2023-21843 OpenJDK: soundbank URL remote loading (Sound, 8293742)  
2160490 - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021)  
2163594 - solr broken due to access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") [rhel-9, openjdk-8] [rhel-9.1.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el9_1.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b09-2.el9_1.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b09-2.el9_1.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el9_1.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el9_1.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el9_1.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el9_1.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el9_1.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21830  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L/9NzjgjWX9erEAQhTQw/9H7aeXZ+k8JgaO+GXrNKKI8YHJRBACYuj  
Ou/dGX013q3gH5fezhFAdtmTqs1hJHSt1p3WwmKtqaQjyFF4MUDdCcRdrSk+0v5p  
PFKuuZKCjXJqeT4A3u69+GajEWq6zbNiqm+yHQQuA+ZFPlJ5bwRYOFPn+LkNNoWf  
3uBAPXa2F2ESHQ56o1mRjOhg4YLxCFHfBV4GJsxBy83C0GZXljEBH1x4qhxo1o1O  
tPziQPLsBbPECukZnp7Hy0tAZgW460Cj7rmReMq2ui5jnYniw0q2hkeFYB11iq6e  
5AcJ38QeL8iyN1z0J1IerfVBe+NmgFvNhdt7kdxokoF4CinahqlsbdU81PkItrqi  
aoGUDvzra7UXCDeZC5Qxt1OpBu1dWXTEHPqFlfmww6MijfhrLS7EqBupxXhYiJMz  
l8f3bFEnEFgfXyBPoOn5ZuTI7Fc1cCf2HjKHJUJtmpEEgv0PQ509ZL9m4nQmgWnZ  
8OJD6PI0kgAohWMxxfK06dmWOMAlxftO9VItMaDVizbm1TCv4VlILHXA6zmwa10v  
S2nDmRKoYjgkXPsYaN2MrIcCBIxhXBs7cVBLxKvVpw4UifBA7iFLUiGch4wXn3op  
iWX/5L+z+6Ohrq+ejRBuS/Q+3YecUUVsgCi6q42aUmTaCchzWa2zwft5VoxartdR  
4FZtwClNWbY=  
=FGEM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0210-01

Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Runtimes security update  
Advisory ID:       RHSA-2023:0470-01  
Product:           Migration Toolkit for Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0470  
Issue date:        2023-01-26  
CVE Names:         CVE-2016-3709 CVE-2020-35525 CVE-2020-35527   
                   CVE-2021-46848 CVE-2022-0561 CVE-2022-0562   
                   CVE-2022-0865 CVE-2022-0891 CVE-2022-0908   
                   CVE-2022-0909 CVE-2022-0924 CVE-2022-1304   
                   CVE-2022-1355 CVE-2022-1471 CVE-2022-2509   
                   CVE-2022-22624 CVE-2022-22628 CVE-2022-22629   
                   CVE-2022-22662 CVE-2022-22844 CVE-2022-25308   
                   CVE-2022-25309 CVE-2022-25310 CVE-2022-26700   
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716   
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27404   
                   CVE-2022-27405 CVE-2022-27406 CVE-2022-30293   
                   CVE-2022-35737 CVE-2022-37434 CVE-2022-42898   
                   CVE-2022-42920   
=====================================================================

1. Summary:

An update is now available for Migration Toolkit for Runtimes (v1.0.1).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* mtr-web-container: Apache-Commons-BCEL: arbitrary bytecode produced via  
out-of-bounds writing (CVE-2022-42920)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

5. References:

https://access.redhat.com/security/cve/CVE-2016-3709  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-0561  
https://access.redhat.com/security/cve/CVE-2022-0562  
https://access.redhat.com/security/cve/CVE-2022-0865  
https://access.redhat.com/security/cve/CVE-2022-0891  
https://access.redhat.com/security/cve/CVE-2022-0908  
https://access.redhat.com/security/cve/CVE-2022-0909  
https://access.redhat.com/security/cve/CVE-2022-0924  
https://access.redhat.com/security/cve/CVE-2022-1304  
https://access.redhat.com/security/cve/CVE-2022-1355  
https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-2509  
https://access.redhat.com/security/cve/CVE-2022-22624  
https://access.redhat.com/security/cve/CVE-2022-22628  
https://access.redhat.com/security/cve/CVE-2022-22629  
https://access.redhat.com/security/cve/CVE-2022-22662  
https://access.redhat.com/security/cve/CVE-2022-22844  
https://access.redhat.com/security/cve/CVE-2022-25308  
https://access.redhat.com/security/cve/CVE-2022-25309  
https://access.redhat.com/security/cve/CVE-2022-25310  
https://access.redhat.com/security/cve/CVE-2022-26700  
https://access.redhat.com/security/cve/CVE-2022-26709  
https://access.redhat.com/security/cve/CVE-2022-26710  
https://access.redhat.com/security/cve/CVE-2022-26716  
https://access.redhat.com/security/cve/CVE-2022-26717  
https://access.redhat.com/security/cve/CVE-2022-26719  
https://access.redhat.com/security/cve/CVE-2022-27404  
https://access.redhat.com/security/cve/CVE-2022-27405  
https://access.redhat.com/security/cve/CVE-2022-27406  
https://access.redhat.com/security/cve/CVE-2022-30293  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9Krl9zjgjWX9erEAQiQHw//SmAuCEyNB48pniqYtBPEMYXC0GPv8GjR  
nCJh3aREXvSIeWV58A1mJAkrPDYCEUh87Lm1Tdsn2m7qUWWYTLlZL7PHGHIu3EiB  
kqQv4PyExh9ww5Z7vDVbj2s70hF6Swx1u5Q9v/tdEKVkjw7MbfiWddhFhJz26goN  
CwgOwO0AMnyXC35R6MRUPIv4FXm9l/delQ46BRY60d3MWHrnAU8o3oolzyfLQz/w  
iZcQiweM/DB3kY80GJesr/hlfPAtUsH7lc1tjSk6BQfncYDfZLtJfwfFJF2cnGi1  
2o7wv7VM/HKku+LBlUQivF9NIDm5NctgjMUfsYjZcqGYcQBZgPOZVBwMh+dWDvHb  
Dy3BU+AvuNHF2fRqsEr1t87zEOjoiO9729Q8vMeCTKdgQLJ0cg8P/6TaQoylW1A8  
N6mduFALHe9HA+Xg0narJQVmVyh9yVpinc+HRAVtCzBmU81jKrmwKMv3T2s+CeXO  
TJz8Pt0A2E9z1oB+cxBNbJTHFwqAr+BU/GFuFWuf85/DIUk7IwDkvh+7e7eMHLKw  
qe4sIwt5O3l6g5/GFjfk6mmfwpb2kpbWGmdhzXSvlSHneZTCh+1vXEFANFLQn7IY  
zD2uFBFCnAtwVXZNrIoMs1u9/i1CWM02/NmEKp+Sbay3PVbam8YJmsFw8EGXAKuI  
PDYlpa0DcLU=  
=wl80  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0470-01

Red Hat Security Advisory 2023-0469-01 - Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel Extensions For Quarkus 2.13.2  
Advisory ID:       RHSA-2023:0469-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0469  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-40149 CVE-2022-40150 CVE-2022-40151   
                   CVE-2022-40152 CVE-2022-40153 CVE-2022-40154   
                   CVE-2022-40155 CVE-2022-40156 CVE-2022-42003   
                   CVE-2022-42004 CVE-2022-42889   
=====================================================================

1. Summary:

Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available.  
The purpose of this text-only errata is to inform you about the security  
issues fixed.

Red Hat Product Security has rated this update as having an impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat Integration - Camel Extensions for Quarkus 2.13.2 serves as a  
replacement for 2.7 and includes the following security fixes.

Security Fix(es):

* jettison: memory exhaustion via user-supplied XML or JSON data  
(CVE-2022-40150)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* commons-text: apache-commons-text: variable interpolation RCE  
(CVE-2022-42889)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40153)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40155)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40156)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40154)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2128959 - CVE-2022-40154 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134289 - CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134290 - CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks  
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE  
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data  
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

5. References:

https://access.redhat.com/security/cve/CVE-2022-40149  
https://access.redhat.com/security/cve/CVE-2022-40150  
https://access.redhat.com/security/cve/CVE-2022-40151  
https://access.redhat.com/security/cve/CVE-2022-40152  
https://access.redhat.com/security/cve/CVE-2022-40153  
https://access.redhat.com/security/cve/CVE-2022-40154  
https://access.redhat.com/security/cve/CVE-2022-40155  
https://access.redhat.com/security/cve/CVE-2022-40156  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-42889  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q1  
https://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9KrldzjgjWX9erEAQiSfg/8CzU3VwZ40lPgz1S/mDjItoqotqkakk1D  
OBMtX5UNOAYAS/ml8XJr4apF7RwV+O/pjIBs8ajUA1ANfDOJCF/EH3ewSmcNop7y  
xZ6lI5VkCzwlALu0shCxN05UN7i9+/mzlLuEMFxlk3QaYYenxmvKYCHvoF5uKQAm  
atG2A0xGTLo3/h+V2AfP81oVEI/1I1K4XNuFUxK6aMwUyIteLwtcUgHbrbIEkv8m  
WcXaoc8q2BEc3pgLP4EqThIKe87ltlCrMnbM5cJri45kAPX0YOJ7PGd21erOrjD+  
mvI+snP1sZM/0TRRHej/UFiCLRegCKU85ng7lA6iMKBuYPqodSMxxLMjzUEjP5KX  
4SlMNG8m1vIxXkDG+d1bn0cS5bXgp1JFSzn0j/FTcB1YKp4aiKpVL8SIAsYu9b0w  
suSXP7s+HgVvt4HtvUCw+xIJE06nYusNZS1oUuepK7uTdfUWdf6ZULLlMlxAprr3  
UzGH+UkfYZs9MsRDrzV7Q1CSz5axKYDxny4XljK6il3PjgCyADytBLkHfqIZCxHM  
j2G2GbpV98JavSG2DssmOeUFeblsT2LrDMXk01+WpQCtZ+QqVA12g57SooMYByOP  
EcpNNHuA9nHCuq30yQbUuA35RwX42a4pAXMGGtVBBLxJ2rqtWjHUjHfhSrdPXrzx  
yh55hcgmPBM=  
=AiQH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0469-01

Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Runtimes security update  
Advisory ID:       RHSA-2023:0471-01  
Product:           Migration Toolkit for Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0471  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-3517 CVE-2022-25914 CVE-2022-37603   
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-42920   
=====================================================================

1. Summary:

An update is now available for Migration Toolkit for Runtimes (v1.0.1).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* jib-core: RCE via the isDockerInstalled (CVE-2022-25914)  
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds  
writing (CVE-2022-42920)  
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)  
* loader-utils: Regular expression denial of service (CVE-2022-37603)  
* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)  
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2134344 - CVE-2022-25914 jib-core: RCE via the isDockerInstalled  
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service  
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

5. References:

https://access.redhat.com/security/cve/CVE-2022-3517  
https://access.redhat.com/security/cve/CVE-2022-25914  
https://access.redhat.com/security/cve/CVE-2022-37603  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes&downloadType=distributions

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9KrktzjgjWX9erEAQhAgQ//XBC9o9VYI+ndpTTSa0Xe8i7wf+gwsK5f  
cJV5aaxzrf+OXlNDX6TdRHXmUsiIsT8MkliiegKStsKr5ZeJeJ40l4AFytlMAL3D  
2WtkFIznUcnQfjy//HkEkR1TcMoun2jIoUOym4ILymQNdzEFkE9ALx8xtISWxvqY  
X+Ro97Iw9ecwfLu7OrdlKuLJhEOBK/tCqPY5DGEkc8egxELfWmCIDY+/VFrPui/C  
HtI4+rOcRGTW6eS7zjNBcovsEAzh0+uw6pdRLklGpEbRxYWy7rrfL5a6k1xuVb7q  
UGiUocfVzjM8fGOmifnG8cQrTO16w+EbNa5gtk4j7XJdYFI1B3mdfuYkz7EOd6tY  
FkflesNFmEsR2BjGOYchkxNNTSXjLjDzfzaoqUeCFU8gWNaRkwtUL8dKOgLwVrok  
cAH7AqYJ9pBCVDYFpB2vz9EW6cUDvYkkki8WckEDjG7Y0b66fmzous8qz9xIsCoN  
0PJRM1vSnrTNYq1p/DWq0bHY4cQJ+yIIcDVzOdAblsGStk9TLaNcklpnyc5TNmYL  
hp8+3keJ7LXRHInNn9ev+4askstdUNCvUymfZY/GxAAXUlr0inPOGEnNZB35d1n4  
iok2xXLiCJQpfiUYaT3Ch2NiJ/0xz5miDchjWpWRKmeqXJyvUtaiF5cDlci8NvzJ  
AwLDrG6Ja/g=  
=Quha  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#js