RedHat: RHSA-2022-5903:01 Moderate: Red Hat Process Automation Mana...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Process Automation Manager 7.13.0 security update
Advisory ID:       RHSA-2022:5903-01
Product:           Red Hat Process Automation Manager
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5903
Issue date:        2022-08-04
CVE Names:         CVE-2021-2471 CVE-2021-3642 CVE-2021-3644 
                   CVE-2021-3717 CVE-2021-22569 CVE-2021-36373 
                   CVE-2021-37136 CVE-2021-37137 CVE-2021-37714 
                   CVE-2021-43797 CVE-2022-22950 CVE-2022-25647 
=====================================================================

1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fix(es):

* com.google.code.gson-gson: Deserialization of Untrusted Data in
com.google.code.gson-gson (CVE-2022-25647)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* protobuf-java: potential DoS in the parsing procedure for binary data
(CVE-2021-22569)

* spring-expression: Denial of service via specially crafted SpEL
expression (CVE-2022-22950)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving
access to all the local users (CVE-2021-3717)

* ant: excessive memory allocation when reading a specially crafted TAR
archive (CVE-2021-36373)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)

* wildfly-core: Invalid Sensitivity Classification of Vault Expression
(CVE-2021-3644)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For on-premise installations, before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1982336 - CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive
1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

5. References:

https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3644
https://access.redhat.com/security/cve/CVE-2021-3717
https://access.redhat.com/security/cve/CVE-2021-22569
https://access.redhat.com/security/cve/CVE-2021-36373
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-37714
https://access.redhat.com/security/cve/CVE-2021-43797
https://access.redhat.com/security/cve/CVE-2022-22950
https://access.redhat.com/security/cve/CVE-2022-25647
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYuthq9zjgjWX9erEAQgQEg/+JzQ2kFiUqqXTe4CScQ9mAeLZBXJhzO3R
YXfJSCjuaa+Rs2xlatT73cIzSAyw/q2hNZjjcsdMdLtQaVPCeqg6dWHs9XORxHYi
zmN5XjoUUgcXz8o4EovTNdvPZt5T16fnQ992+8VtGt9rXK+iWs/txzBLESTArCdD
TZ8JWF09caN37s3OctjOAn3fYFHN9AjeiWlVP99VfCAHpooMX8eaCPcVEgMuMt1G
u8KzNqkPjr/Mwfm5okRsQo6BkjgKoxRSqugW9YkurcvwK/4R4hCdRToC6Q2LvbzS
lMdjGFYMmlrBPWtJ7JM/S/oAGwBO00tYbuhxpPtcJrDKWsDWSN0DZWhqWtjHspMt
MAZZC7SCbnDzTlr52ReYuP8NqEwKNe0EO0MAu8W5EYfBDiZeP2f1lEH59OVOujLQ
L2ghX/hZhM6npU1yHV+9SVKV33LkAyiyunBUPQnKJq0NfsIrLgRLBC00GIabYPSu
9wXhVJJMAaJr+HTvWut6QhJmF68zlio3Uvxh70c9gpejyYvwSUmA5UlHAJRkUTaI
5pzXH/1cDxTlJF1iMotIXyw7FQBi9nF/XOGFpNVc+O3Gt32IK4smbbgjMAJ9L0wI
lbxnxfBsDeI3uG+AdPMkB8M8NOHp0ZbvDQF8YMzlQ/efLOsnuFOUBhdCa3Uj3abN
PEkCgEOAjYs=
=WAVg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5903:01 Moderate: Red Hat Process Automation Manager

An update is now available for Red Hat Process Automation Manager

Summary

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fix(es):
* com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647)
* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569)
* spring-expression: Denial of service via specially crafted SpEL expression (CVE-2022-22950)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users (CVE-2021-3717)
* ant: excessive memory allocation when reading a specially crafted TAR archive (CVE-2021-36373)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For on-premise installations, before applying the update, back up yourexisting installation, including all applications, configuration files,databases and database settings, and so on.It is recommended to halt the server by stopping the JBoss ApplicationServer process before installing this update; after installing the update,restart the server by starting the JBoss Application Server process.The References section of this erratum contains a download link (you mustlog in to download the update).

References

https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3644 https://access.redhat.com/security/cve/CVE-2021-3717 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-36373 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-37714 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-22950 https://access.redhat.com/security/cve/CVE-2022-25647 https://access.redhat.com/security/updates/classification/#moderate

Package List

Severity
Advisory ID: RHSA-2022:5903-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5903
Issued Date: : 2022-08-04
CVE Names: CVE-2021-2471 CVE-2021-3642 CVE-2021-3644 CVE-2021-3717 CVE-2021-22569 CVE-2021-36373 CVE-2021-37136 CVE-2021-37137 CVE-2021-37714 CVE-2021-43797 CVE-2022-22950 CVE-2022-25647

Topic

An update is now available for Red Hat Process Automation Manager.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression

1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

1982336 - CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive

1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users

1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical

2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling

2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data

2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression

2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.