ID

VAR-202202-0050

CVE

CVE-2022-25235

TITLE

Red Hat Security Advisory 2022-4668-01

DESCRIPTION

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 2000478 - Using deprecated 1.25 API calls 2022742 - NNCP creation fails when node of a cluster is unavailable 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2028619 - policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+ 2029359 - NodeNetworkConfigurationPolicy refreshes all the conditions even if the policy has not gone to that state 2032837 - Add/remove label to priority class are not reconciled properly left HCO in Unknown status. 2033385 - Bug in kubernetes labels that are attached to the CNV logs 2038814 - [CNV-4.10-rhel9] hyperconverged-cluster-cli-download pod CrashLoopBackOff state 2039019 - Fix Top consumers dashboard 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2046686 - Importer pod keeps in retarting when dataimportcron has a reference to invalid image sha 2049990 - must-gather: must-gather is logging errors about upstream only namespaces 2053390 - No DataImportCron for CentOS 7 2054778 - PVC created with filesystem volume mode in some cases, instead of block volume mode 2054782 - DataImportCron status does not show failure when failing to create dataSource 2055304 - [4.10.z] nmstate interprets interface names as float64 and subsequently crashes on state update 2055950 - cnv installation should set empty node selector for openshift-cnv namespace 2056421 - non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume" 2056464 - nmstate-webhook pods getting scheduled on the same node 2056619 - [4.10.z] kubemacpool-mac-controller-manager not ready 2057142 - CDI aggregate roles missing some types 2057148 - Cross namespace smart clone may get stuck in NamespaceTransferInProgress phase 2057613 - nmpolicy capture - race condition when appying teardown nncp; nnce fails 2059185 - must-gather: Must-gather gather_vms_details is not working when used with a list of vms 2059613 - Must-gather: for vms with longer name, gather_vms_details fails to collect qemu, dump xml logs 2062227 - sriovLiveMigration should not be enabled on sno clusters 2062321 - when update attempt of hco.spec with storage classes failed, csv git stuck in installing state 2063991 - On upgraded cluster, "v2v-vmware" is present under hco.status.relatedObject 2065308 - CNV disables LiveMigration FG, but leaves LiveMigration workloadUpdateStrategy enabled 2065743 - 4.10.1 containers 2065755 - 4.10.1 rpms 2066086 - DataImportCrons do not automatically recover from unconfigured default storage class 2066712 - [4.10.z] Migration of vm from VMware reports pvc not large enough 2069055 - [4.10.z] On an upgraded cluster NetworkAddonsConfig seems to be reconciling in a loop 2070050 - [4.10.1] Custom guest PCI address and boot order parameters are not respected in a list of multiple SR-IOV NICs 2073880 - Cannot create VM on SNO cluster as live migration feature is not enabled 2077920 - Migration in sequence can be reported as failed even when it succeeded 2078878 - SSP: Common templates fix to pick right templates 5. Description: Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Bugs fixed (https://bugzilla.redhat.com/): 2062751 - CVE-2022-24730 argocd: path traversal and improper access control allows leaking out-of-bound files 2062755 - CVE-2022-24731 argocd: path traversal allows leaking out-of-bound files 2064682 - CVE-2022-1025 Openshift-Gitops: Improper access control allows admin privilege escalation 5. This update provides security fixes, bug fixes, and updates the container images. Description: Red Hat Advanced Cluster Management for Kubernetes 2.4.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide some security fixes and bug fixes. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.4/html/release_notes/ Security updates: * golang.org/x/crypto: empty plaintext packet causes panic (CVE-2021-43565) * nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account (CVE-2022-24450) * nanoid: Information disclosure via valueOf() function (CVE-2021-23566) * nodejs-shelljs: improper privilege management (CVE-2022-0144) * search-ui-container: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) * openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778) * imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path (CVE-2022-24778) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) * opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190) Related bugs: * RHACM 2.4.3 image files (BZ #2057249) * Observability - dashboard name contains `/` would cause error when generating dashboard cm (BZ #2032128) * ACM application placement fails after renaming the application name (BZ #2033051) * Disable the obs metric collect should not impact the managed cluster upgrade (BZ #2039197) * Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard (BZ #2039820) * The value of name label changed from clusterclaim name to cluster name (BZ #2042223) * VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys (BZ #2048500) * clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI (BZ #2053211) * Application cluster status is not updated in UI after restoring (BZ #2053279) * OpenStack cluster creation is using deprecated floating IP config for 4.7+ (BZ #2056610) * The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift (BZ #2059039) * Subscriptions stop reconciling after channel secrets are recreated (BZ #2059954) * Placementrule is not reconciling on a new fresh environment (BZ #2074156) * The cluster claimed from clusterpool cannot auto imported (BZ #2074543) 3. Bugs fixed (https://bugzilla.redhat.com/): 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2032128 - Observability - dashboard name contains `/` would cause error when generating dashboard cm 2033051 - ACM application placement fails after renaming the application name 2039197 - disable the obs metric collect should not impact the managed cluster upgrade 2039820 - Observability - cluster list should only contain OCP311 cluster on OCP311 dashboard 2042223 - the value of name label changed from clusterclaim name to cluster name 2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management 2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2048500 - VMWare Cluster creation does not accept ecdsa-sha2-nistp521 ssh keys 2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function 2052573 - CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account 2053211 - clusterSelector matchLabels spec are cleared when changing app name/namespace during creating an app in UI 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2053279 - Application cluster status is not updated in UI after restoring 2056610 - OpenStack cluster creation is using deprecated floating IP config for 4.7+ 2057249 - RHACM 2.4.3 images 2059039 - The value of Vendor reported by cluster metrics was Other even if the vendor label in managedcluster was Openshift 2059954 - Subscriptions stop reconciling after channel secrets are recreated 2062202 - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2069368 - CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path 2074156 - Placementrule is not reconciling on a new fresh environment 2074543 - The cluster claimed from clusterpool can not auto imported 5. 8) - noarch 3. Description: Expat is a C library for parsing XML documents. The mingw-expat packages provide a port of the Expat library for MinGW. The following packages have been upgraded to a later upstream version: mingw-expat (2.4.8). 8.1) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.7.0. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: xmlrpc-c security update Advisory ID: RHSA-2022:1540-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1540 Issue date: 2022-04-26 CVE Names: CVE-2022-25235 ===================================================================== 1. Summary: An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC (remote procedure call) over the Internet. It converts an RPC into an XML document, sends it to a remote server using HTTP, and gets back the response in XML. Security Fix(es): * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 6. Package List: Red Hat Enterprise Linux BaseOS EUS (v. 8.2): Source: xmlrpc-c-1.51.0-5.el8_2.1.src.rpm aarch64: xmlrpc-c-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-client-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.aarch64.rpm ppc64le: xmlrpc-c-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-client-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.ppc64le.rpm s390x: xmlrpc-c-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-client-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.s390x.rpm x86_64: xmlrpc-c-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-client-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-client-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.x86_64.rpm Red Hat CodeReady Linux Builder EUS (v. 8.2): aarch64: xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-c++-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-client++-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.aarch64.rpm xmlrpc-c-devel-1.51.0-5.el8_2.1.aarch64.rpm ppc64le: xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-c++-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-client++-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.ppc64le.rpm xmlrpc-c-devel-1.51.0-5.el8_2.1.ppc64le.rpm s390x: xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-c++-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-client++-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.s390x.rpm xmlrpc-c-devel-1.51.0-5.el8_2.1.s390x.rpm x86_64: xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-c++-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-c++-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-client++-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-client++-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-debugsource-1.51.0-5.el8_2.1.x86_64.rpm xmlrpc-c-devel-1.51.0-5.el8_2.1.i686.rpm xmlrpc-c-devel-1.51.0-5.el8_2.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYmga9tzjgjWX9erEAQiBNg/9GM5tS+fh5NKoFDWH6r0YxnVsL2IPedN1 AV1KYGoJsAPU1z0MtZixPj5dNxKqcSomgl7GpLO4jkOKMhHktCipVS5tOzpGspY5 nAUKk5ANRH7AeQUJAnP0IaO28cVVerLZvk/ZxA5XcXCcdM8WofjQ8aXKk69T6ctX rKWR9Xw7MpOXxpV9xu2t+eU4MGeuONfqNclUYolUFpYv6JrPdzLCWmXNixCQGAPW D9d2gbLt80L+Z5JkBzZWSkSpItrQs3BD6wcgQIFxl7tgbOlsgo4H7qX4N4g1QgL+ 1V4E+fxlhnAg0vL4g7RG+GkfEesjJXEiUWFbd02beqWy4+G2B1GEYdH0HCp5NffH Y1RRz2hmaOh4QRBNnpvLQvKazqyGrLnk8bAQQIiYjNqceqR4IKYSMYlsHes7v1MJ 7/k6EKs3FrXlcJWpjwNXt2xHWw5Py9rIrlEMiS4ag0tbAhFPscs0TkFeAPCxSVtr oZRTOhwv/wHUb57/V9xMDr6POK5rLB3I2mb8L61169/ph+BM4NIziaDfr4q/5nvx oqWuxe99Q1GTX6+AoeGlZLkp4GY11/tRT+ZaLvNqsWZV98FUeJcXJAh/X0qaYcuF xAI5xHHv56GPOqGMwxEZO17TxeA35WDLvsYjM3mVfLblWsM4FGjKVBdqMBR9o0rn SA1L555kQjg= =Cvpq -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow, code execution

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-03-12T19:31:51.203000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE