Red Hat 9042 Published by

A Red Hat Integration Camel for Spring Boot 3.20.1 security update has been released.



RHSA-2023:2100-01: Important: Red Hat Integration Camel for Spring Boot 3.20.1 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Integration Camel for Spring Boot 3.20.1 security update
Advisory ID: RHSA-2023:2100-01
Product: Red Hat Integration
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:2100
Issue date: 2023-05-03
CVE Names: CVE-2021-37533 CVE-2022-4492 CVE-2022-25857
CVE-2022-31777 CVE-2022-33681 CVE-2022-37865
CVE-2022-37866 CVE-2022-38398 CVE-2022-38648
CVE-2022-38749 CVE-2022-38750 CVE-2022-38751
CVE-2022-38752 CVE-2022-39368 CVE-2022-40146
CVE-2022-40150 CVE-2022-40151 CVE-2022-40152
CVE-2022-40156 CVE-2022-41704 CVE-2022-41852
CVE-2022-41853 CVE-2022-41854 CVE-2022-41881
CVE-2022-41966 CVE-2022-42003 CVE-2022-42004
CVE-2022-42890 CVE-2023-1370 CVE-2023-1436
CVE-2023-20860 CVE-2023-20861 CVE-2023-20863
CVE-2023-22602 CVE-2023-24998
=====================================================================

1. Summary:

Red Hat Integration Camel for Spring Boot 3.20.1 release and security
update is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.20.1 serves as a replacement for
Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which
are documented in the Release Notes document linked in the References.

The purpose of this text-only errata is to inform you about the security
issues fixed.

Security Fix(es):

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* JXPath: untrusted XPath expressions may lead to RCE attack
(CVE-2022-41852)

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* apache-commons-net: FTP client trusts the host from PASV response by
default (CVE-2021-37533)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* apache-spark: XSS vulnerability in log viewer UI Javascript
(CVE-2022-31777)

* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy
can expose authentication data via MITM (CVE-2022-33681)

* apache-ivy: Directory Traversal (CVE-2022-37865)

* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)

* snakeyaml: Uncaught exception in
java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

* scandium: Failing DTLS handshakes may cause throttling to block
processing of records (CVE-2022-39368)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* batik: Untrusted code execution in Apache XML Graphics Batik
(CVE-2022-42890)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request
(CVE-2023-22602)

* Apache Commons FileUpload: FileUpload DoS with excessive parts
(CVE-2023-24998)

* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2136128 - CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
2136207 - CVE-2022-33681 Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
2145205 - CVE-2022-39368 scandium: Failing DTLS handshakes may cause throttling to block processing of records
2145264 - CVE-2022-31777 apache-spark: XSS vulnerability in log viewer UI Javascript
2150011 - CVE-2022-37866 : Apache Ivy: Ivy Path traversal
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery
2169924 - CVE-2021-37533 apache-commons-net: FTP client trusts the host from PASV response by default
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik
2182188 - CVE-2022-37865 apache-ivy: Directory Traversal
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2187742 - CVE-2023-20863 springframework: Spring Expression DoS Vulnerability
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

5. References:

  https://access.redhat.com/security/cve/CVE-2021-37533
  https://access.redhat.com/security/cve/CVE-2022-4492
  https://access.redhat.com/security/cve/CVE-2022-25857
  https://access.redhat.com/security/cve/CVE-2022-31777
  https://access.redhat.com/security/cve/CVE-2022-33681
  https://access.redhat.com/security/cve/CVE-2022-37865
  https://access.redhat.com/security/cve/CVE-2022-37866
  https://access.redhat.com/security/cve/CVE-2022-38398
  https://access.redhat.com/security/cve/CVE-2022-38648
  https://access.redhat.com/security/cve/CVE-2022-38749
  https://access.redhat.com/security/cve/CVE-2022-38750
  https://access.redhat.com/security/cve/CVE-2022-38751
  https://access.redhat.com/security/cve/CVE-2022-38752
  https://access.redhat.com/security/cve/CVE-2022-39368
  https://access.redhat.com/security/cve/CVE-2022-40146
  https://access.redhat.com/security/cve/CVE-2022-40150
  https://access.redhat.com/security/cve/CVE-2022-40151
  https://access.redhat.com/security/cve/CVE-2022-40152
  https://access.redhat.com/security/cve/CVE-2022-40156
  https://access.redhat.com/security/cve/CVE-2022-41704
  https://access.redhat.com/security/cve/CVE-2022-41852
  https://access.redhat.com/security/cve/CVE-2022-41853
  https://access.redhat.com/security/cve/CVE-2022-41854
  https://access.redhat.com/security/cve/CVE-2022-41881
  https://access.redhat.com/security/cve/CVE-2022-41966
  https://access.redhat.com/security/cve/CVE-2022-42003
  https://access.redhat.com/security/cve/CVE-2022-42004
  https://access.redhat.com/security/cve/CVE-2022-42890
  https://access.redhat.com/security/cve/CVE-2023-1370
  https://access.redhat.com/security/cve/CVE-2023-1436
  https://access.redhat.com/security/cve/CVE-2023-20860
  https://access.redhat.com/security/cve/CVE-2023-20861
  https://access.redhat.com/security/cve/CVE-2023-20863
  https://access.redhat.com/security/cve/CVE-2023-22602
  https://access.redhat.com/security/cve/CVE-2023-24998
  https://access.redhat.com/security/updates/classification/#important
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.