Red Hat 9062 Published by

A Red Hat Process Automation Manager 7.13.4 security update has been released.



[RHSA-2023:4983-01] Important: Red Hat Process Automation Manager 7.13.4 security update


=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Process Automation Manager 7.13.4 security update
Advisory ID: RHSA-2023:4983-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4983
Issue date: 2023-09-05
CVE Names: CVE-2021-30129 CVE-2022-3171 CVE-2022-25857
CVE-2022-37599 CVE-2022-38900 CVE-2022-40152
CVE-2022-42920 CVE-2022-45047 CVE-2023-0482
CVE-2023-20860 CVE-2023-20883
=====================================================================

1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which provides a detailed severity rating, is available for each
vulnerability from the CVE links in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fixes:

* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via
out-of-bounds writing (CVE-2022-42920)

* decode-uri-component: improper input validation resulting in DoS
(CVE-2022-38900)

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* loader-utils: regular expression denial of service in interpolateName.js
(CVE-2022-37599)

* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina
SSHD Server (CVE-2021-30129)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
pages listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2134872 - CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js
2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2021-30129
https://access.redhat.com/security/cve/CVE-2022-3171
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-37599
https://access.redhat.com/security/cve/CVE-2022-38900
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--