RedHat: RHSA-2023-0469:01 Moderate: Red Hat Integration Camel Extensions
Summary
Red Hat Integration - Camel Extensions for Quarkus 2.13.2 serves as a
replacement for 2.7 and includes the following security fixes.
Security Fix(es):
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* commons-text: apache-commons-text: variable interpolation RCE
(CVE-2022-42889)
* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40153)
* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40155)
* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)
* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40154)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-40151 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-40153 https://access.redhat.com/security/cve/CVE-2022-40154 https://access.redhat.com/security/cve/CVE-2022-40155 https://access.redhat.com/security/cve/CVE-2022-40156 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q1 https://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1
Package List
Topic
Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available.The purpose of this text-only errata is to inform you about the securityissues fixed.Red Hat Product Security has rated this update as having an impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
2128959 - CVE-2022-40154 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134289 - CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134290 - CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow