-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Service Registry (container images) release and security update [2.3.0.GA] Advisory ID: RHSA-2022:6835-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2022:6835 Issue date: 2022-10-06 CVE Names: CVE-2021-22569 CVE-2021-37136 CVE-2021-37137 CVE-2021-41269 CVE-2022-0235 CVE-2022-0536 CVE-2022-0981 CVE-2022-21724 CVE-2022-23647 CVE-2022-24771 CVE-2022-24772 CVE-2022-24773 CVE-2022-25647 CVE-2022-25857 CVE-2022-25858 CVE-2022-26520 CVE-2022-31129 CVE-2022-37734 ==================================================================== 1. Summary: An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Security Fix(es): * cron-utils: template Injection leading to unauthenticated Remote Code Execution (CVE-2021-41269) * prismjs: improperly escaped output allows a XSS (CVE-2022-23647) * snakeyaml: Denial of Service due missing to nested depth limitation for collections (CVE-2022-25857) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569) * quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus (CVE-2022-0981) * quarkus-jdbc-postgresql-deployment: jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes (CVE-2022-21724) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) * jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability (CVE-2022-26520) * node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771) * node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772) * node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773) * com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647) * terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858) * graphql-java: DoS by malicious query (CVE-2022-37734) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2056643 - CVE-2022-23647 prismjs: improperly escaped output allows a XSS 2062520 - CVE-2022-0981 quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery 2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure 2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2126809 - CVE-2022-37734 graphql-java: DoS by malicious query 5. References: https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-41269 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0536 https://access.redhat.com/security/cve/CVE-2022-0981 https://access.redhat.com/security/cve/CVE-2022-21724 https://access.redhat.com/security/cve/CVE-2022-23647 https://access.redhat.com/security/cve/CVE-2022-24771 https://access.redhat.com/security/cve/CVE-2022-24772 https://access.redhat.com/security/cve/CVE-2022-24773 https://access.redhat.com/security/cve/CVE-2022-25647 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-25858 https://access.redhat.com/security/cve/CVE-2022-26520 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-37734 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYz7stNzjgjWX9erEAQiCEQ/+OPmlKRufUR1D+rRvhWHeBMxdJ9NMoaMm rV3uH/FIiBLFSYWXgTY8gb53BVsZHEPfZ6G3ol70iyOjDbXazQsYBuhg/9RMLmz9 +J1yK5sSeE9HyisYbYdHuuGIKpEMGXp78NP1rlwBEgyFrkY8pJHSdv/Fc87f2B3Z VeExd/Zvdcj5M4/ZmCin1yNALPKlhnbp9+9MGvcLufJUsXxOKPrQVCYMgWVWc0Wc aNRm4y8FBOnYrB9FeA2BBYEpmBrRK8G8OsoebuqaBvKAvytVV/NSiOMKsdaGD9WL XeLPl5XE3rpEVeUEH4aEjdHe6weLk/sjst335xgWI7QHZT/gjZxmxza2TBGgIkRJ yBT/n63geWAkaTXUCP0oepJDPKAio6B/CFVzTZS8jqO/0rDDvHIZN94nhceqamW3 GC5gha56Pk+qcw3sArvtu0G72wY5O/+/kxp0mV+sWczIIlbS7FlkG+sxl5uHo3+M DDBOMwNROI6bInBxnBD4GWMepW40cGaAXt1HN/1NVaZq0mw4cdyulOMJfPpJGQK5 IGS+TnvZn86p3cZysR3eMuaPzFG9U8vnaAw8enRmiJ6wG3NFkklIRelO7fEF8n3R drGnqa8gB589c9x3QUurBytdDxYWd2T71TOTyMFdTI9NtOAeuIvX+6lDj0BOftH3 Jnw+PamuYNcÌnF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce