-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Process Automation Manager 7.13.4 security update
Advisory ID:       RHSA-2023:4983-01
Product:           Red Hat Process Automation Manager
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4983
Issue date:        2023-09-05
CVE Names:         CVE-2021-30129 CVE-2022-3171 CVE-2022-25857 
                   CVE-2022-37599 CVE-2022-38900 CVE-2022-40152 
                   CVE-2022-42920 CVE-2022-45047 CVE-2023-0482 
                   CVE-2023-20860 CVE-2023-20883 
=====================================================================

1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which provides a detailed severity rating, is available for each
vulnerability from the CVE links in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fixes:

* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via
out-of-bounds writing (CVE-2022-42920)

* decode-uri-component: improper input validation resulting in DoS
(CVE-2022-38900)

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* loader-utils: regular expression denial of service in interpolateName.js
(CVE-2022-37599)

* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina
SSHD Server (CVE-2021-30129)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
pages listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134872 - CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js
2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2021-30129
https://access.redhat.com/security/cve/CVE-2022-3171
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-37599
https://access.redhat.com/security/cve/CVE-2022-38900
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk93yjAAoJENzjgjWX9erEKqgP/1UlycSBys8Kqyupt2ZTt6Dc
9sWam6CyTWid71F4d/NrZlNEZ8hyHVyH4/IDaA7t6VnwbdMJZC3GqOA87sh0AXM9
uNSSwjQ/KHdhVfl7gST/YOdWSrKqG8WN405f0gIQNL7HOtYkFnzjQEI1mNeIy4OM
c+gVKOpukuJcOd/Nol/dTeTgrWh95GVajDoIFdH2NVs6u2iYvrG549q7Ja2DBWri
KSbVwyANrFuXSiQn/F17wOmp7MtabMR+Q6ZE7SnuKHVfBDxTKcp3JUOZ37rB0xMk
YRu+DHpVuQWMcLBN0IHHM+qfoAL8WwI+YWs+qwMze29AZbCDDwBxe8p3Ml5/iTmZ
vrms3iy99JqkbQS34lhEmmVNTk26no63boIdpuRURj1pHOTkcihtcBMU+IwmOEjy
xfaROWy7EmI/IqQUt6kNhlaWjOWuZ+O3v2L2an9h+3+ZrMRolu8X2kYed98brSkc
G2rooLO5nxIltW6F1iYo2DNYapvb+1KXDnyjW2RH4myQTiFb7vqI3aK/+wFmcxhD
6vXGedukV+ylBVr6kay/wAbETrvuEpD1ekch7nSQkVsfhj2ogbM67uvFW0DggGmx
TB+KnZonBSa+z1s+lyFfYO06htRZzfKXHyhmuGbF0gFm2N1ySjulLMM8ATo85Wc2
gylNKjGyvndPEI09+thC
=+EvW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-4983:01 Important: Red Hat Process Automation Manager

An update is now available for Red Hat Process Automation Manager

Summary

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-30129 https://access.redhat.com/security/cve/CVE-2022-3171 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-37599 https://access.redhat.com/security/cve/CVE-2022-38900 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-42920 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20883 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2023:4983-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4983
Issued Date: : 2023-09-05
CVE Names: CVE-2021-30129 CVE-2022-3171 CVE-2022-25857 CVE-2022-37599 CVE-2022-38900 CVE-2022-40152 CVE-2022-42920 CVE-2022-45047 CVE-2023-0482 CVE-2023-20860 CVE-2023-20883

Topic

An update is now available for Red Hat Process Automation Manager.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which provides a detailed severity rating, is available for eachvulnerability from the CVE links in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks

2134872 - CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js

2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files

2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability


Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved