-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Service Registry (container images) release and security update [2.4.3 GA]
Advisory ID:       RHSA-2023:3815-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3815
Issue date:        2023-06-27
CVE Names:         CVE-2021-46877 CVE-2022-3509 CVE-2022-3510 
                   CVE-2022-3782 CVE-2022-4742 CVE-2022-25881 
                   CVE-2022-40152 CVE-2022-45787 CVE-2023-28867 
====================================================================
1. Summary:

An update to the images for Red Hat Integration - Service Registry is now
available from the Red Hat Container Catalog. The purpose of this text-only
errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Service Registry 2.4.3 GA includes
the following security fixes.

Security Fix(es):

* keycloak: path traversal via double URL encoding (CVE-2022-3782)

* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)

* protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509)

* protobuf-java: Message-Type Extensions parsing issue leads to DoS
(CVE-2022-3510)

* json-pointer: prototype pollution in json-pointer (CVE-2022-4742)

* http-cache-semantics: Regular Expression Denial of Service (ReDoS)
vulnerability (CVE-2022-25881)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* apache-james-mime4j: Temporary File Information Disclosure in MIME4J
TempFileStorageProvider (CVE-2022-45787)

* graphql-java: crafted GraphQL query causes stack consumption
(CVE-2023-28867)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2156333 - CVE-2022-4742 json-pointer: prototype pollution in json-pointer
2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
2184161 - CVE-2022-3509 protobuf-java: Textformat parsing issue leads to DoS
2184176 - CVE-2022-3510 protobuf-java: Message-Type Extensions parsing issue leads to DoS
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode

5. References:

https://access.redhat.com/security/cve/CVE-2021-46877
https://access.redhat.com/security/cve/CVE-2022-3509
https://access.redhat.com/security/cve/CVE-2022-3510
https://access.redhat.com/security/cve/CVE-2022-3782
https://access.redhat.com/security/cve/CVE-2022-4742
https://access.redhat.com/security/cve/CVE-2022-25881
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-45787
https://access.redhat.com/security/cve/CVE-2023-28867
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJsFgtzjgjWX9erEAQhjSxAAkdZcVQ40k/RGIbaO43BZYsPXzr3F47f9
kR7ddrW/LgLw6N2oHPx+T7zSMJM6oGnWjTi1Mqw6XUmDaSXSnLf2ADx3NEmrH//T
8Ti9UjN6oKuBtJb5sejU9ra2FBX9g3rJP6nb6QeeUi6v/a1aw3kwMp/mCC7Sp1U3
RxLOs9O4/CKA5NBSJnPjFqp1rXPLpmHLwOKdomABrOEoyIairtCey3GpLfOcLRMg
+rNwtcjGrfMVQTC0d+2Gl4oNL7oqG6/fG/hRUFSO8LRzq+pEzEPA7bqgYi9wbbiX
hEooNDJfAoUSbRljoYwqSpAROuyPft32+PhemRkX8/OUij213ouA9BFY14pf3X1y
5bmJI59ipH67tl8gO1naNlHDTbyZBr2wWxmjGadVOR9aJK5YDyosoUEk/gjokQbn
31sBfBHx2P9xCHTLZjDDNQBF9MgI1zh6dUId7pBNvcshcLLM5+7kbMGEf6l+elfm
D89TciTpHROFfNLP6ejNzw/iE7Mm3pSb1UfEwamyvl/KSpoO39aMzxmRAy35ZV2A
CrVPnrzEj2rCH3MvJTCc8CVz0p58zxrbBKJ6lLEecaEbAIvHeuKBmsWjDzf2DoLm
ixoYo2VaKXPTYFpKon6HqR9ln4lL+VCMNiDyHk3AulBtkcgFzpMlfzeaHGlx9dRl
IzcckdicBSE=lmeY
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3815:01 Important: Service Registry (container images)

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog

Summary

This release of Red Hat Integration - Service Registry 2.4.3 GA includes the following security fixes.
Security Fix(es):
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* protobuf-java: Textformat parsing issue leads to DoS (CVE-2022-3509)
* protobuf-java: Message-Type Extensions parsing issue leads to DoS (CVE-2022-3510)
* json-pointer: prototype pollution in json-pointer (CVE-2022-4742)
* http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2022-25881)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787)
* graphql-java: crafted GraphQL query causes stack consumption (CVE-2023-28867)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Summary

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-3509 https://access.redhat.com/security/cve/CVE-2022-3510 https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-4742 https://access.redhat.com/security/cve/CVE-2022-25881 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-28867 https://access.redhat.com/security/updates/classification/#important

Package List

Severity

Advisory ID: RHSA-2023:3815-01

Product: Red Hat Integration

Advisory URL: https://access.redhat.com/errata/RHSA-2023:3815

Issued Date: : 2023-06-27

CVE Names: CVE-2021-46877 CVE-2022-3509 CVE-2022-3510 CVE-2022-3782 CVE-2022-4742 CVE-2022-25881 CVE-2022-40152 CVE-2022-45787 CVE-2023-28867

Topic

An update to the images for Red Hat Integration - Service Registry is nowavailable from the Red Hat Container Catalog. The purpose of this text-onlyerrata is to inform you about the security issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topic

Relevant Releases Architectures

Bugs Fixed

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks

2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding

2156333 - CVE-2022-4742 json-pointer: prototype pollution in json-pointer

2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability

2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption

2184161 - CVE-2022-3509 protobuf-java: Textformat parsing issue leads to DoS

2184176 - CVE-2022-3510 protobuf-java: Message-Type Extensions parsing issue leads to DoS

2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security

2 - 4 min read

Sep 19, 2024

Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security

2 - 4 min read

Sep 16, 2024

Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is

CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?

CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?

3 - 5 min read

Sep 15, 2024

CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three

Defending Against Remote Code Execution in Google Chrome: A Critical Update

Defending Against Remote Code Execution in Google Chrome: A Critical Update

2 - 3 min read

Sep 15, 2024

Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe

Navigating the Linux Kernel

Navigating the Linux Kernel's Latest DMA Security Vulnerability

2 - 4 min read

Sep 10, 2024

The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant

Staying a Step Ahead of Adversaries: Mitigating Chromium

Staying a Step Ahead of Adversaries: Mitigating Chromium's Security Flaws on Linux

2 - 4 min read

Sep 04, 2024

Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium

Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware

Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware

2 - 4 min read

Sep 03, 2024

Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called

Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures

Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures

3 - 6 min read

Sep 02, 2024

Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

News

Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Advisories

Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
HOWTOs

Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Features

Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
About Us

Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Powered By

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

© 2024 Guardian Digital, Inc All Rights Reserved