RedHat: RHSA-2022-6813:01 Important: Red Hat Process Automation Manager
Summary
Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.
Security Fix(es):
* chart.js: prototype pollution (CVE-2020-7746)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* package immer before 9.0.6. A type confusion vulnerability can lead to a
bypass of CVE-2020-28477 (CVE-2021-23436)
* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)
* Business-central: Possible XML External Entity Injection attack
(CVE-2022-2458)
* cross-fetch: Exposure of Private Personal Information to an Unauthorized
Actor (CVE-2022-1365)
* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)
* jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability
(CVE-2022-26520)
* jdbc-postgresql: Unchecked Class Instantiation when providing Plugin
Classes (CVE-2022-21724)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* org.drools-droolsjbpm-integration: minimist: prototype pollution
(CVE-2021-44906)
* org.kie.workbench-kie-wb-common: minimist: prototype pollution
(CVE-2021-44906)
* parse-url: Exposure of Sensitive Information to an Unauthorized Actor in
GitHub repository ionicabizau/parse-url (CVE-2022-0722)
* xercesimpl: xerces-j2: infinite loop when handling specially crafted XML
document payloads (CVE-2022-23437)
* eventsource: Exposure of Sensitive Information (CVE-2022-1650)
* mysql-connector-java: Difficult to exploit vulnerability allows a high
privileged attacker with network access via multiple protocols to
compromise MySQL Connectors (CVE-2022-21363)
* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)
* node-forge: Signature verification failing to check tailing garbage bytes
can lead to signature forgery (CVE-2022-24772)
* node-forge: Signature verification leniency in checking `digestAlgorithm`
structure can lead to signature forgery (CVE-2022-24771)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
For on-premise installations, before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.
Red Hat recommends that you halt the server by stopping the JBoss
Application Server process before installing this update. After installing
the update, restart the server by starting the JBoss Application Server
process.
The References section of this erratum contains a download link. You must
log in to download the update.
References
https://access.redhat.com/security/cve/CVE-2020-7746 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-23436 https://access.redhat.com/security/cve/CVE-2021-44906 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0722 https://access.redhat.com/security/cve/CVE-2022-1365 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-2458 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-21724 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24771 https://access.redhat.com/security/cve/CVE-2022-24772 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-26520 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/updates/classification/#important
Package List
Topic
An update is now available for Red Hat Process Automation Manager.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2041833 - CVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads
2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2066009 - CVE-2021-44906 minimist: prototype pollution
2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery
2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery
2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
2096966 - CVE-2020-7746 chart.js: prototype pollution
2103584 - CVE-2022-0722 parse-url: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2107994 - CVE-2022-2458 Business-central: Possible XML External Entity Injection attack