-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Advisory ID:       RHSA-2023:3641-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3641
Issue date:        2023-06-15
CVE Names:         CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 
                   CVE-2022-38751 CVE-2022-38752 CVE-2022-40152 
                   CVE-2022-40156 CVE-2022-41854 CVE-2022-42003 
                   CVE-2022-42004 CVE-2022-45047 CVE-2022-46363 
                   CVE-2022-46364 CVE-2023-1370 CVE-2023-1436 
                   CVE-2023-20883 
====================================================================
1. Summary:

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now
available.

Red Hat Product Security has rated this update as having an impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for
Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements,
which are documented in the Release Notes linked in the References. The
purpose of this text-only errata is to inform you about the security issues
fixed.

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)

* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow
(CVE-2022-41854)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)

* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match
(CVE-2022-38751)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-38749
https://access.redhat.com/security/cve/CVE-2022-38750
https://access.redhat.com/security/cve/CVE-2022-38751
https://access.redhat.com/security/cve/CVE-2022-38752
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-40156
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZItdGNzjgjWX9erEAQhc7A/+PfKtOHtO40HR87HLkZdBROVscSVLLgYJ
y0yTSOnpx2ccBCkpvEA6+7nzu8l3IZFrmAuSkzMJN84oWVyrzRi+BcrAfAB0J7Il
ItShHVcEJvSzNDrDb9BZ37awga9w/rEkx6h8DwdItClBIlGyaTHhL7dF1XrWSbti
1Nes6J/FSTVjiW7PDbjb3IL9wB6NAkU+X0vJaOn9DWiInOiAlttaxdupy4GfwO7c
5tg4po/h2IxCcz7TEHri+Oiyucc014cedEeSizguKqYs16rspagFZGYcM460Qrg/
cYRPU6NwcYc/tfDubiWle3U7hYbzmY6+DffVS9ksTXz66W2jwWkn1SRJTnk4RsC8
hWnbxkYcPL24T3gCivZyrRgIX3VDi3RNRR7aYzNR+fWi790noi4Zz0smnO95w2XA
vyfIRZLfCsgWnKPWo2E8tzanm3jfyorpBao6HvMeKcFhfPFV7Y8ERDNDoS7huU4H
67NWwTThGGNawChpLxCOkhaIB/tPMAU9EulswBZbRpRXWXaTG8+/OCGO4dZ3x+Wq
RKybaXvqhIFFITP4gu5XraX/Y/ZbxRi9Qp0w7L0X3lvDE8GQqu2rZ2nSh9oRRKJE
g7/7LGWtHMS8GfcvnBdlbl1a4NXKLkfLZjaZytAjoj9Yr2A8blAIe8fjRpan8Xmq
s4LHK2NgW6M=jD7D
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3641:01 Important: Red Hat Integration Camel for Spring

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available

Summary

This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-38749 https://access.redhat.com/security/cve/CVE-2022-38750 https://access.redhat.com/security/cve/CVE-2022-38751 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-40156 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/cve/CVE-2022-46363 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20883 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

Package List


Severity
Advisory ID: RHSA-2023:3641-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3641
Issued Date: : 2023-06-15
CVE Names: CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 CVE-2022-40152 CVE-2022-40156 CVE-2022-41854 CVE-2022-42003 CVE-2022-42004 CVE-2022-45047 CVE-2022-46363 CVE-2022-46364 CVE-2023-1370 CVE-2023-1436 CVE-2023-20883

Topic

Camel for Spring Boot 3.18.3 Patch 2 release and security update is nowavailable.Red Hat Product Security has rated this update as having an impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections

2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode

2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject

2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration

2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability


Related News

1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved