Red Hat Security Advisory 2023-7639-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7639.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9 security update  
Advisory ID:        RHSA-2023:7639-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7639  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7639-03

Red Hat Security Advisory 2023-7638-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7638.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 8 security update  
Advisory ID:        RHSA-2023:7638-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7638  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7638-03

Red Hat Security Advisory 2023-7637-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7637.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 7 security update  
Advisory ID:        RHSA-2023:7637-03  
Product:            Red Hat JBoss Enterprise Application Platform  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7637  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-2976  
====================================================================

Summary: 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

* guava: insecure temporary directory creation (CVE-2023-2976)

* eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2023-2976

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/  
https://bugzilla.redhat.com/show_bug.cgi?id=2184751  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://issues.redhat.com/browse/JBEAP-25004  
https://issues.redhat.com/browse/JBEAP-25085  
https://issues.redhat.com/browse/JBEAP-25086  
https://issues.redhat.com/browse/JBEAP-25378  
https://issues.redhat.com/browse/JBEAP-25380  
https://issues.redhat.com/browse/JBEAP-25419  
https://issues.redhat.com/browse/JBEAP-25451  
https://issues.redhat.com/browse/JBEAP-25457  
https://issues.redhat.com/browse/JBEAP-25541  
https://issues.redhat.com/browse/JBEAP-25547  
https://issues.redhat.com/browse/JBEAP-25576  
https://issues.redhat.com/browse/JBEAP-25594  
https://issues.redhat.com/browse/JBEAP-25627  
https://issues.redhat.com/browse/JBEAP-25657  
https://issues.redhat.com/browse/JBEAP-25685  
https://issues.redhat.com/browse/JBEAP-25700  
https://issues.redhat.com/browse/JBEAP-25716  
https://issues.redhat.com/browse/JBEAP-25726  
https://issues.redhat.com/browse/JBEAP-25772  
https://issues.redhat.com/browse/JBEAP-25779  
https://issues.redhat.com/browse/JBEAP-25803  
https://issues.redhat.com/browse/JBEAP-25838  
https://issues.redhat.com/browse/JBEAP-26041

Red Hat Security Advisory 2023-7637-03

Red Hat Security Advisory 2023-7599-03 - Red Hat OpenShift Container Platform release 4.14.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7599.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.5 bug fix and security update  
Advisory ID:        RHSA-2023:7599-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7599  
Issue date:         2023-12-05  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.5 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.5. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2023:7603

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://issues.redhat.com/browse/OCPBUGS-10126  
https://issues.redhat.com/browse/OCPBUGS-22286  
https://issues.redhat.com/browse/OCPBUGS-22363  
https://issues.redhat.com/browse/OCPBUGS-22430  
https://issues.redhat.com/browse/OCPBUGS-23426  
https://issues.redhat.com/browse/OCPBUGS-23490  
https://issues.redhat.com/browse/OCPBUGS-23751  
https://issues.redhat.com/browse/OCPBUGS-23906

Red Hat Security Advisory 2023-7599-03

Red Hat Security Advisory 2023-7633-01 - An update for rh-mariadb105-galera and rh-mariadb105-mariadb is now available for Red Hat Software Collections. Issues addressed include a null pointer vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7633.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: rh-mariadb105-galera and rh-mariadb105-mariadb security update  
Advisory ID:        RHSA-2023:7633-01  
Product:            Red Hat Software Collections  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7633  
Issue date:         2023-12-04  
Revision:           01  
CVE Names:          CVE-2022-32081  
====================================================================

Summary: 

An update for rh-mariadb105-galera and rh-mariadb105-mariadb is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

MariaDB is a multi-user, multi-threaded SQL database server. For all practical purposes, MariaDB is binary-compatible with MySQL.

The following packages have been upgraded to a later upstream version: rh-mariadb105-galera (26.4.14), rh-mariadb105-mariadb (10.5.22). (BZ#2114888, BZ#2173013, BZ#2240558)

Security Fix(es):

* mariadb: node crashes with Transport endpoint is not connected mysqld got signal 6 (CVE-2023-5157)

* mariadb: use-after-poison in prepare_inplace_add_virtual in handler0alter.cc (CVE-2022-32081)

* mariadb: assertion failure at table->get_ref_count() == 0 in dict0dict.cc (CVE-2022-32082)

* mariadb: segmentation fault via the component sub_select (CVE-2022-32084)

* mariadb: server crash in st_select_lex_unit::exclude_level (CVE-2022-32089)

* mariadb: server crash in JOIN_CACHE::free or in copy_fields (CVE-2022-32091)

* mariadb: compress_write() fails to release mutex on failure (CVE-2022-38791)

* mariadb: NULL pointer dereference in spider_db_mbase::print_warnings() (CVE-2022-47015)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-32081

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2106028  
https://bugzilla.redhat.com/show_bug.cgi?id=2106030  
https://bugzilla.redhat.com/show_bug.cgi?id=2106034  
https://bugzilla.redhat.com/show_bug.cgi?id=2106035  
https://bugzilla.redhat.com/show_bug.cgi?id=2106042  
https://bugzilla.redhat.com/show_bug.cgi?id=2130105  
https://bugzilla.redhat.com/show_bug.cgi?id=2163609  
https://bugzilla.redhat.com/show_bug.cgi?id=2240246

Red Hat Security Advisory 2023-7633-01

Red Hat Security Advisory 2023-7617-02 - Red Hat Build of Apache Camel for Quarkus 3.2.0 is now available.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7617.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Build of Apache Camel for Quarkus 3.2.0 release (RHBQ 3.2.9.Final)  
Advisory ID:        RHSA-2023:7617-02  
Product:            Red Hat Integration  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7617  
Issue date:         2023-11-30  
Revision:           02  
CVE Names:          CVE-2023-5072  
====================================================================

Summary: 

Red Hat Build of Apache Camel for Quarkus 3.2.0 is now available (updates to RHBQ 3.2.9.Final).  The purpose of this text-only errata is to inform you about the enhancements that improve your developer  experience and ensure the security and stability of your products

Description:

Red Hat Build of Apache Camel for Quarkus 3.2.0 is now available (updates to RHBQ 3.2.9.Final).  The purpose of this text-only errata is to inform you about the enhancements that improve your developer  experience and ensure the security and stability of your products:  
  * CVE-2023-39410 avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK  
   * CVE-2023-5072 JSON-java: parser confusion leads to OOM

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5072

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/cve/CVE-2023-39410  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Red Hat Security Advisory 2023-7617-02

Red Hat Security Advisory 2023-7616-01 - An update for postgresql is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7616.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql security updateAdvisory ID:        RHSA-2023:7616-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7616Issue date:         2023-11-30Revision:           01CVE Names:          CVE-2023-5868====================================================================Summary: An update for postgresql is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5868References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2228111https://bugzilla.redhat.com/show_bug.cgi?id=2247168https://bugzilla.redhat.com/show_bug.cgi?id=2247169https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7616-01

Red Hat Security Advisory 2023-7341-01 - An update is now available for Red Hat Quay 3.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7341.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Quay security update  
Advisory ID:        RHSA-2023:7341-01  
Product:            Red Hat Quay  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7341  
Issue date:         2023-11-30  
Revision:           01  
CVE Names:          CVE-2023-23931  
====================================================================

Summary: 

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

An update is now available for Red Hat Quay 3.

Security Fix(es):

* python-werkzeug: high resource usage when parsing multipart form data with many fields (CVE-2023-25577)

* flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header (CVE-2023-30861)

* python-cryptography: memory corruption via immutable objects (CVE-2023-23931)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-23931

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2170242  
https://bugzilla.redhat.com/show_bug.cgi?id=2171817  
https://bugzilla.redhat.com/show_bug.cgi?id=2196643  
https://issues.redhat.com/browse/PROJQUAY-2462  
https://issues.redhat.com/browse/PROJQUAY-2803  
https://issues.redhat.com/browse/PROJQUAY-3906  
https://issues.redhat.com/browse/PROJQUAY-4126  
https://issues.redhat.com/browse/PROJQUAY-5021  
https://issues.redhat.com/browse/PROJQUAY-5212  
https://issues.redhat.com/browse/PROJQUAY-5489  
https://issues.redhat.com/browse/PROJQUAY-5506  
https://issues.redhat.com/browse/PROJQUAY-5598  
https://issues.redhat.com/browse/PROJQUAY-5957  
https://issues.redhat.com/browse/PROJQUAY-5958  
https://issues.redhat.com/browse/PROJQUAY-5959  
https://issues.redhat.com/browse/PROJQUAY-5960  
https://issues.redhat.com/browse/PROJQUAY-5963  
https://issues.redhat.com/browse/PROJQUAY-6010  
https://issues.redhat.com/browse/PROJQUAY-6048  
https://issues.redhat.com/browse/PROJQUAY-6184

Red Hat Security Advisory 2023-7341-01

Red Hat Security Advisory 2023-7587-01 - An update is now available for IBM Business Automation Manager Open Editions including images for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7587.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Updated IBM Business Automation Manager Open Editions 8.0.4 SP1 Images  
Advisory ID:        RHSA-2023:7587-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7587  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-44487  
====================================================================

Summary: 

An update is now available for IBM Business Automation Manager Open Editions including images for Red Hat OpenShift Container Platform.

Description:

IBM Business Automation Manager Open Editions is an open source business process management suite that combines process management and decision service management. It enables business and IT users to create, manage, validate, and deploy process applications and decision services.

IBM Business Automation Manager Open Editions images have been provided for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) and for on-premise or private-cloud deployments.

This release updates the IBM Business Automation Manager Open Editions images to 8.0.4.

This release includes security fixes.

Security Fix(es):

* netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* Quarkus: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* EAP XP: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* EAP: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* businessautomation-operator: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.

Solution:

CVEs:

CVE-2023-44487

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803

Red Hat Security Advisory 2023-7587-01

Red Hat Security Advisory 2023-7581-01 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7581.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:13 security update  
Advisory ID:        RHSA-2023:7581-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7581  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5868

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Tag

#red_hat