-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Advisory ID:       RHSA-2023:3641-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3641
Issue date:        2023-06-15
CVE Names:         CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 
                   CVE-2022-38751 CVE-2022-38752 CVE-2022-40152 
                   CVE-2022-40156 CVE-2022-41854 CVE-2022-42003 
                   CVE-2022-42004 CVE-2022-45047 CVE-2022-46363 
                   CVE-2022-46364 CVE-2023-1370 CVE-2023-1436 
                   CVE-2023-20883 
====================================================================
1. Summary:

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now
available.

Red Hat Product Security has rated this update as having an impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for
Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements,
which are documented in the Release Notes linked in the References. The
purpose of this text-only errata is to inform you about the security issues
fixed.

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)

* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow
(CVE-2022-41854)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)

* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match
(CVE-2022-38751)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-38749
https://access.redhat.com/security/cve/CVE-2022-38750
https://access.redhat.com/security/cve/CVE-2022-38751
https://access.redhat.com/security/cve/CVE-2022-38752
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-40156
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZItdGNzjgjWX9erEAQhc7A/+PfKtOHtO40HR87HLkZdBROVscSVLLgYJ
y0yTSOnpx2ccBCkpvEA6+7nzu8l3IZFrmAuSkzMJN84oWVyrzRi+BcrAfAB0J7Il
ItShHVcEJvSzNDrDb9BZ37awga9w/rEkx6h8DwdItClBIlGyaTHhL7dF1XrWSbti
1Nes6J/FSTVjiW7PDbjb3IL9wB6NAkU+X0vJaOn9DWiInOiAlttaxdupy4GfwO7c
5tg4po/h2IxCcz7TEHri+Oiyucc014cedEeSizguKqYs16rspagFZGYcM460Qrg/
cYRPU6NwcYc/tfDubiWle3U7hYbzmY6+DffVS9ksTXz66W2jwWkn1SRJTnk4RsC8
hWnbxkYcPL24T3gCivZyrRgIX3VDi3RNRR7aYzNR+fWi790noi4Zz0smnO95w2XA
vyfIRZLfCsgWnKPWo2E8tzanm3jfyorpBao6HvMeKcFhfPFV7Y8ERDNDoS7huU4H
67NWwTThGGNawChpLxCOkhaIB/tPMAU9EulswBZbRpRXWXaTG8+/OCGO4dZ3x+Wq
RKybaXvqhIFFITP4gu5XraX/Y/ZbxRi9Qp0w7L0X3lvDE8GQqu2rZ2nSh9oRRKJE
g7/7LGWtHMS8GfcvnBdlbl1a4NXKLkfLZjaZytAjoj9Yr2A8blAIe8fjRpan8Xmq
s4LHK2NgW6M=jD7D
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3641:01 Important: Red Hat Integration Camel for Spring

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available

Summary

This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-38749 https://access.redhat.com/security/cve/CVE-2022-38750 https://access.redhat.com/security/cve/CVE-2022-38751 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-40152 https://access.redhat.com/security/cve/CVE-2022-40156 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/cve/CVE-2022-46363 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-20883 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

Package List


Severity
Advisory ID: RHSA-2023:3641-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3641
Issued Date: : 2023-06-15
CVE Names: CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-38752 CVE-2022-40152 CVE-2022-40156 CVE-2022-41854 CVE-2022-42003 CVE-2022-42004 CVE-2022-45047 CVE-2022-46363 CVE-2022-46364 CVE-2023-1370 CVE-2023-1436 CVE-2023-20883

Topic

Camel for Spring Boot 3.18.3 Patch 2 release and security update is nowavailable.Red Hat Product Security has rated this update as having an impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections

2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode

2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject

2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks

2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration

2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved