-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Process Automation Manager 7.13.4 security update
Advisory ID:       RHSA-2023:4983-01
Product:           Red Hat Process Automation Manager
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4983
Issue date:        2023-09-05
CVE Names:         CVE-2021-30129 CVE-2022-3171 CVE-2022-25857 
                   CVE-2022-37599 CVE-2022-38900 CVE-2022-40152 
                   CVE-2022-42920 CVE-2022-45047 CVE-2023-0482 
                   CVE-2023-20860 CVE-2023-20883 
=====================================================================

1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which provides a detailed severity rating, is available for each
vulnerability from the CVE links in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fixes:

* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via
out-of-bounds writing (CVE-2022-42920)

* decode-uri-component: improper input validation resulting in DoS
(CVE-2022-38900)

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* loader-utils: regular expression denial of service in interpolateName.js
(CVE-2022-37599)

* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina
SSHD Server (CVE-2021-30129)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
pages listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134872 - CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js
2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2021-30129
https://access.redhat.com/security/cve/CVE-2022-3171
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-37599
https://access.redhat.com/security/cve/CVE-2022-38900
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJk93yjAAoJENzjgjWX9erEKqgP/1UlycSBys8Kqyupt2ZTt6Dc
9sWam6CyTWid71F4d/NrZlNEZ8hyHVyH4/IDaA7t6VnwbdMJZC3GqOA87sh0AXM9
uNSSwjQ/KHdhVfl7gST/YOdWSrKqG8WN405f0gIQNL7HOtYkFnzjQEI1mNeIy4OM
c+gVKOpukuJcOd/Nol/dTeTgrWh95GVajDoIFdH2NVs6u2iYvrG549q7Ja2DBWri
KSbVwyANrFuXSiQn/F17wOmp7MtabMR+Q6ZE7SnuKHVfBDxTKcp3JUOZ37rB0xMk
YRu+DHpVuQWMcLBN0IHHM+qfoAL8WwI+YWs+qwMze29AZbCDDwBxe8p3Ml5/iTmZ
vrms3iy99JqkbQS34lhEmmVNTk26no63boIdpuRURj1pHOTkcihtcBMU+IwmOEjy
xfaROWy7EmI/IqQUt6kNhlaWjOWuZ+O3v2L2an9h+3+ZrMRolu8X2kYed98brSkc
G2rooLO5nxIltW6F1iYo2DNYapvb+1KXDnyjW2RH4myQTiFb7vqI3aK/+wFmcxhD
6vXGedukV+ylBVr6kay/wAbETrvuEpD1ekch7nSQkVsfhj2ogbM67uvFW0DggGmx
TB+KnZonBSa+z1s+lyFfYO06htRZzfKXHyhmuGbF0gFm2N1ySjulLMM8ATo85Wc2
gylNKjGyvndPEI09+thC
=+EvW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce