exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-6813-01

Red Hat Security Advisory 2022-6813-01
Posted Oct 6, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6813-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Issues addressed include XML injection, bypass, denial of service, and traversal vulnerabilities.

tags | advisory, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2020-7746, CVE-2021-23436, CVE-2021-44906, CVE-2022-0235, CVE-2022-0722, CVE-2022-1365, CVE-2022-1650, CVE-2022-21363, CVE-2022-21724, CVE-2022-23437, CVE-2022-23913, CVE-2022-2458, CVE-2022-24771
SHA-256 | 521ec6e1f1c87dec24a2a646b415862945625ba71bf278184f8111f74b3e7c2d

Red Hat Security Advisory 2022-6813-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Process Automation Manager 7.13.1 security update
Advisory ID: RHSA-2022:6813-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6813
Issue date: 2022-10-05
CVE Names: CVE-2020-7746 CVE-2020-36518 CVE-2021-23436
CVE-2021-44906 CVE-2022-0235 CVE-2022-0722
CVE-2022-1365 CVE-2022-1650 CVE-2022-2458
CVE-2022-21363 CVE-2022-21724 CVE-2022-23437
CVE-2022-23913 CVE-2022-24771 CVE-2022-24772
CVE-2022-24785 CVE-2022-26520 CVE-2022-31129
=====================================================================

1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fix(es):

* chart.js: prototype pollution (CVE-2020-7746)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* package immer before 9.0.6. A type confusion vulnerability can lead to a
bypass of CVE-2020-28477 (CVE-2021-23436)

* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)

* Business-central: Possible XML External Entity Injection attack
(CVE-2022-2458)

* cross-fetch: Exposure of Private Personal Information to an Unauthorized
Actor (CVE-2022-1365)

* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)

* jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability
(CVE-2022-26520)

* jdbc-postgresql: Unchecked Class Instantiation when providing Plugin
Classes (CVE-2022-21724)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

* org.drools-droolsjbpm-integration: minimist: prototype pollution
(CVE-2021-44906)

* org.kie.workbench-kie-wb-common: minimist: prototype pollution
(CVE-2021-44906)

* parse-url: Exposure of Sensitive Information to an Unauthorized Actor in
GitHub repository ionicabizau/parse-url (CVE-2022-0722)

* xercesimpl: xerces-j2: infinite loop when handling specially crafted XML
document payloads (CVE-2022-23437)

* eventsource: Exposure of Sensitive Information (CVE-2022-1650)

* mysql-connector-java: Difficult to exploit vulnerability allows a high
privileged attacker with network access via multiple protocols to
compromise MySQL Connectors (CVE-2022-21363)

* node-fetch: exposure of sensitive information to an unauthorized actor
(CVE-2022-0235)

* node-forge: Signature verification failing to check tailing garbage bytes
can lead to signature forgery (CVE-2022-24772)

* node-forge: Signature verification leniency in checking `digestAlgorithm`
structure can lead to signature forgery (CVE-2022-24771)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For on-premise installations, before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

Red Hat recommends that you halt the server by stopping the JBoss
Application Server process before installing this update. After installing
the update, restart the server by starting the JBoss Application Server
process.

The References section of this erratum contains a download link. You must
log in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

2041833 - CVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads
2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2066009 - CVE-2021-44906 minimist: prototype pollution
2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery
2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery
2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale
2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor
2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information
2096966 - CVE-2020-7746 chart.js: prototype pollution
2103584 - CVE-2022-0722 parse-url: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2107994 - CVE-2022-2458 Business-central: Possible XML External Entity Injection attack

5. References:

https://access.redhat.com/security/cve/CVE-2020-7746
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2021-23436
https://access.redhat.com/security/cve/CVE-2021-44906
https://access.redhat.com/security/cve/CVE-2022-0235
https://access.redhat.com/security/cve/CVE-2022-0722
https://access.redhat.com/security/cve/CVE-2022-1365
https://access.redhat.com/security/cve/CVE-2022-1650
https://access.redhat.com/security/cve/CVE-2022-2458
https://access.redhat.com/security/cve/CVE-2022-21363
https://access.redhat.com/security/cve/CVE-2022-21724
https://access.redhat.com/security/cve/CVE-2022-23437
https://access.redhat.com/security/cve/CVE-2022-23913
https://access.redhat.com/security/cve/CVE-2022-24771
https://access.redhat.com/security/cve/CVE-2022-24772
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-26520
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYz2bItzjgjWX9erEAQjghg/+IWxIByKM9Jd9SF+3RuzMy9vdHDNJnw64
eJBHE2op5F2IXv8Iqq5zYyTtv8zk6kKzsGjH/fGy3Ha8/4zn1vCCzMImsYIts0qt
WI6WR3p/4OM9P++HVqoNd9ZfvXEw4l7+noj+2hDfWqtmu0TGfIcmgHpNGnqqisix
Lbaw7H+s6QruFiTF6cpols+zT/7PsbSoeK3RcBhgVwJHyYz4hqwFS6g0/jyaOYKp
pEM0AMJF6TrFRNWs/KVSYKPWAkC7XYCGN47DG6ac7jCSyOWaJi50ANcSXL8ITEdS
74PPhsicA/nhGjHf/QVBeqLiWPuBiPTaYBqkKP5YCduGLP+aJxXYeGCd9JOX1FZd
KIk/B0XDHN4Pv4Puaim5x8WjZL4z6zSjnK60nXs2idbEmiBY+la6Dw1TYV2tA27G
GWh+BaecKar1Crp8BTKuidFinDrN9FldfhRv7zS8gY8gLeTKyqaNFPdemzaGK7mD
5pGUVxwuB8mqu4ZsrCdfekXyikQ6NAXp69S1NQMIkNY6NVlBcSElj9hu5G++T3LR
a0fDTTeTVtLcW9m9JNpKlRwfUrc2r3/ODuQJk0pIPfw3DTscNllqnHPWTUnPH4Gq
9CEEltjCrL/JLnpxHdYjxMWTB9XnnMi+yMziJnGRWA1v4NiYSPdjPkqZSsSBTFqC
+TymeZzewhE=
=Nji7
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close