Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Red Hat Integration Camel Extensions 2.13.2 Moderate Risk DoS Advisory

red hat
Calendar Grey January 26, 2023
Dist Redhat Esm H88
The Red Hat Integration Camel Extensions for Quarkus version 2.13.2 has received a security patch that resolves multiple moderate security issues.
Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat Integration - Camel Extensions for Quarkus 2.13.2 serves as a replacement for 2.7 and includes the following security fixes.
Security Fix(es):
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40153)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40155)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40154)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat integration Denial of Service data serialization

References

https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-40151 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-40153 https://access.redhat.com/security/cve/CVE-2022-40154 https://access.redhat.com/security/cve/CVE-2022-40155 https://access.redhat.com/security/cve/CVE-2022-40156 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q1 https://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:0469-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0469
Issue date: 2023-01-26

Topic

Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available.The purpose of this text-only errata is to inform you about the securityissues fixed.Red Hat Product Security has rated this update as having an impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat integration Denial of Service data serialization

Relevant Releases Architectures

Bugs Fixed

2128959 - CVE-2022-40154 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134289 - CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134290 - CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks

2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE

2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data

2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here