Red Hat 9062 Published by

A Red Hat integration Camel extensions for Quarkus security update has been released.



RHSA-2023:0469-01: Moderate: Red Hat Integration Camel Extensions For Quarkus 2.13.2



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Integration Camel Extensions For Quarkus 2.13.2
Advisory ID: RHSA-2023:0469-01
Product: Red Hat Integration
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:0469
Issue date: 2023-01-26
CVE Names: CVE-2022-40149 CVE-2022-40150 CVE-2022-40151
CVE-2022-40152 CVE-2022-40153 CVE-2022-40154
CVE-2022-40155 CVE-2022-40156 CVE-2022-42003
CVE-2022-42004 CVE-2022-42889
=====================================================================

1. Summary:

Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available.
The purpose of this text-only errata is to inform you about the security
issues fixed.

Red Hat Product Security has rated this update as having an impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Integration - Camel Extensions for Quarkus 2.13.2 serves as a
replacement for 2.7 and includes the following security fixes.

Security Fix(es):

* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* commons-text: apache-commons-text: variable interpolation RCE
(CVE-2022-42889)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40153)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40155)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40154)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2128959 - CVE-2022-40154 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134289 - CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134290 - CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

5. References:

  https://access.redhat.com/security/cve/CVE-2022-40149
  https://access.redhat.com/security/cve/CVE-2022-40150
  https://access.redhat.com/security/cve/CVE-2022-40151
  https://access.redhat.com/security/cve/CVE-2022-40152
  https://access.redhat.com/security/cve/CVE-2022-40153
  https://access.redhat.com/security/cve/CVE-2022-40154
  https://access.redhat.com/security/cve/CVE-2022-40155
  https://access.redhat.com/security/cve/CVE-2022-40156
  https://access.redhat.com/security/cve/CVE-2022-42003
  https://access.redhat.com/security/cve/CVE-2022-42004
  https://access.redhat.com/security/cve/CVE-2022-42889
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q1
  https://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.