what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-5903-01

Red Hat Security Advisory 2022-5903-01
Posted Aug 4, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-5903-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Issues addressed include HTTP request smuggling, denial of service, and deserialization vulnerabilities.

tags | advisory, web, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2021-22569, CVE-2021-2471, CVE-2021-36373, CVE-2021-3642, CVE-2021-3644, CVE-2021-37136, CVE-2021-37137, CVE-2021-3717, CVE-2021-37714, CVE-2021-43797, CVE-2022-22950, CVE-2022-25647
SHA-256 | 64f14a1390aa598b8f7f7082ac1e23e09426694792e54d265ca579256dd960fb

Red Hat Security Advisory 2022-5903-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Process Automation Manager 7.13.0 security update
Advisory ID: RHSA-2022:5903-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5903
Issue date: 2022-08-04
CVE Names: CVE-2021-2471 CVE-2021-3642 CVE-2021-3644
CVE-2021-3717 CVE-2021-22569 CVE-2021-36373
CVE-2021-37136 CVE-2021-37137 CVE-2021-37714
CVE-2021-43797 CVE-2022-22950 CVE-2022-25647
====================================================================
1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fix(es):

* com.google.code.gson-gson: Deserialization of Untrusted Data in
com.google.code.gson-gson (CVE-2022-25647)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* protobuf-java: potential DoS in the parsing procedure for binary data
(CVE-2021-22569)

* spring-expression: Denial of service via specially crafted SpEL
expression (CVE-2022-22950)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving
access to all the local users (CVE-2021-3717)

* ant: excessive memory allocation when reading a specially crafted TAR
archive (CVE-2021-36373)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)

* wildfly-core: Invalid Sensitivity Classification of Vault Expression
(CVE-2021-3644)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For on-premise installations, before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1982336 - CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive
1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

5. References:

https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3644
https://access.redhat.com/security/cve/CVE-2021-3717
https://access.redhat.com/security/cve/CVE-2021-22569
https://access.redhat.com/security/cve/CVE-2021-36373
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-37714
https://access.redhat.com/security/cve/CVE-2021-43797
https://access.redhat.com/security/cve/CVE-2022-22950
https://access.redhat.com/security/cve/CVE-2022-25647
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYuthq9zjgjWX9erEAQgQEg/+JzQ2kFiUqqXTe4CScQ9mAeLZBXJhzO3R
YXfJSCjuaa+Rs2xlatT73cIzSAyw/q2hNZjjcsdMdLtQaVPCeqg6dWHs9XORxHYi
zmN5XjoUUgcXz8o4EovTNdvPZt5T16fnQ992+8VtGt9rXK+iWs/txzBLESTArCdD
TZ8JWF09caN37s3OctjOAn3fYFHN9AjeiWlVP99VfCAHpooMX8eaCPcVEgMuMt1G
u8KzNqkPjr/Mwfm5okRsQo6BkjgKoxRSqugW9YkurcvwK/4R4hCdRToC6Q2LvbzS
lMdjGFYMmlrBPWtJ7JM/S/oAGwBO00tYbuhxpPtcJrDKWsDWSN0DZWhqWtjHspMt
MAZZC7SCbnDzTlr52ReYuP8NqEwKNe0EO0MAu8W5EYfBDiZeP2f1lEH59OVOujLQ
L2ghX/hZhM6npU1yHV+9SVKV33LkAyiyunBUPQnKJq0NfsIrLgRLBC00GIabYPSu
9wXhVJJMAaJr+HTvWut6QhJmF68zlio3Uvxh70c9gpejyYvwSUmA5UlHAJRkUTaI
5pzXH/1cDxTlJF1iMotIXyw7FQBi9nF/XOGFpNVc+O3Gt32IK4smbbgjMAJ9L0wI
lbxnxfBsDeI3uG+AdPMkB8M8NOHp0ZbvDQF8YMzlQ/efLOsnuFOUBhdCa3Uj3abN
PEkCgEOAjYs=WAVg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close