RedHat: RHSA-2023-4612-01 Important: Spring Boot 2.7.13 Update Security
red hat
August 16, 2023
An update is now available for Red Hat OpenShift Application Runtimes
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat support for Spring Boot provides an application platform that
reduces the complexity of developing and operating applications (monoliths
and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.7.13 serves as a
replacement for Red Hat support for Spring Boot 2.7.12, and includes
security, bug fixes and enhancements. For more information, see the release
notes linked in the References section.
Security Fix(es):
* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)
* jackson-databind: Possible DoS if using JDK serialization to serialize
JsonNode (CVE-2021-46877)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* reactor-netty-http: Log request headers in some cases of invalid HTTP
requests (CVE-2022-31684)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
References
https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-31684 https://access.redhat.com/security/cve/CVE-2022-45143 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/release_notes_for_spring_boot_2.7/index
Package List
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2023:4612-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4612
Issue date: 2023-08-16
Topic
An update is now available for Red Hat OpenShift Application Runtimes.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
2141353 - CVE-2022-31684 reactor-netty-http: Log request headers in some cases of invalid HTTP requests
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!