ID

VAR-202203-1400

CVE

CVE-2020-36518

TITLE

Red Hat Security Advisory 2022-5101-01

DESCRIPTION

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. Bugs fixed (https://bugzilla.redhat.com/): 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties 2028254 - CVE-2021-4040 AMQ Broker: Malformed message can result in partial DoS (OOM) 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2089406 - CVE-2022-1833 amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure 5. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Process Automation Manager 7.13.1 security update Advisory ID: RHSA-2022:6813-01 Product: Red Hat Process Automation Manager Advisory URL: https://access.redhat.com/errata/RHSA-2022:6813 Issue date: 2022-10-05 CVE Names: CVE-2020-7746 CVE-2020-36518 CVE-2021-23436 CVE-2021-44906 CVE-2022-0235 CVE-2022-0722 CVE-2022-1365 CVE-2022-1650 CVE-2022-2458 CVE-2022-21363 CVE-2022-21724 CVE-2022-23437 CVE-2022-23913 CVE-2022-24771 CVE-2022-24772 CVE-2022-24785 CVE-2022-26520 CVE-2022-31129 ===================================================================== 1. Summary: An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Security Fix(es): * chart.js: prototype pollution (CVE-2020-7746) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 (CVE-2021-23436) * artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913) * Business-central: Possible XML External Entity Injection attack (CVE-2022-2458) * cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-1365) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability (CVE-2022-26520) * jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes (CVE-2022-21724) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * org.drools-droolsjbpm-integration: minimist: prototype pollution (CVE-2021-44906) * org.kie.workbench-kie-wb-common: minimist: prototype pollution (CVE-2021-44906) * parse-url: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url (CVE-2022-0722) * xercesimpl: xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437) * eventsource: Exposure of Sensitive Information (CVE-2022-1650) * mysql-connector-java: Difficult to exploit vulnerability allows a high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772) * node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Red Hat recommends that you halt the server by stopping the JBoss Application Server process before installing this update. After installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link. You must log in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 2041833 - CVE-2021-23436 immer: type confusion vulnerability can lead to a bypass of CVE-2020-28477 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2066009 - CVE-2021-44906 minimist: prototype pollution 2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery 2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2076133 - CVE-2022-1365 cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2096966 - CVE-2020-7746 chart.js: prototype pollution 2103584 - CVE-2022-0722 parse-url: Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2107994 - CVE-2022-2458 Business-central: Possible XML External Entity Injection attack 5. References: https://access.redhat.com/security/cve/CVE-2020-7746 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-23436 https://access.redhat.com/security/cve/CVE-2021-44906 https://access.redhat.com/security/cve/CVE-2022-0235 https://access.redhat.com/security/cve/CVE-2022-0722 https://access.redhat.com/security/cve/CVE-2022-1365 https://access.redhat.com/security/cve/CVE-2022-1650 https://access.redhat.com/security/cve/CVE-2022-2458 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-21724 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24771 https://access.redhat.com/security/cve/CVE-2022-24772 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-26520 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYz2bItzjgjWX9erEAQjghg/+IWxIByKM9Jd9SF+3RuzMy9vdHDNJnw64 eJBHE2op5F2IXv8Iqq5zYyTtv8zk6kKzsGjH/fGy3Ha8/4zn1vCCzMImsYIts0qt WI6WR3p/4OM9P++HVqoNd9ZfvXEw4l7+noj+2hDfWqtmu0TGfIcmgHpNGnqqisix Lbaw7H+s6QruFiTF6cpols+zT/7PsbSoeK3RcBhgVwJHyYz4hqwFS6g0/jyaOYKp pEM0AMJF6TrFRNWs/KVSYKPWAkC7XYCGN47DG6ac7jCSyOWaJi50ANcSXL8ITEdS 74PPhsicA/nhGjHf/QVBeqLiWPuBiPTaYBqkKP5YCduGLP+aJxXYeGCd9JOX1FZd KIk/B0XDHN4Pv4Puaim5x8WjZL4z6zSjnK60nXs2idbEmiBY+la6Dw1TYV2tA27G GWh+BaecKar1Crp8BTKuidFinDrN9FldfhRv7zS8gY8gLeTKyqaNFPdemzaGK7mD 5pGUVxwuB8mqu4ZsrCdfekXyikQ6NAXp69S1NQMIkNY6NVlBcSElj9hu5G++T3LR a0fDTTeTVtLcW9m9JNpKlRwfUrc2r3/ODuQJk0pIPfw3DTscNllqnHPWTUnPH4Gq 9CEEltjCrL/JLnpxHdYjxMWTB9XnnMi+yMziJnGRWA1v4NiYSPdjPkqZSsSBTFqC +TymeZzewhE= =Nji7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. CVE-2022-42003 In FasterXML jackson-databind resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. CVE-2022-42004 In FasterXML jackson-databind resource exhaustion can occur because of a lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. For the stable distribution (bullseye), these problems have been fixed in version 2.12.1-1+deb11u1. We recommend that you upgrade your jackson-databind packages. For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2F+5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTcpQ//VTj9dn4OgfxhkETwsSvSNpSXbF3qdV2l7S4L7Bz9TWpdpUxR+FtnI+wF /j6w9o/hlanB/LoPR9Dphy3Mbz90Rp3/6T4or5IW6zWvLn5FoXMKuqnhJULxP1ae 91zUOi0U/v+2zr1t0vDh2eFOF4UwDcgoXVMkiUtsRml59EhsgvHPT7xtxq4/DkwJ zR3MO0eRgXgFmxdannGen01IPb5Jld1u86SJyOWCAJrJOM/8BCyozIL+AqtK7qZt BBYPa7zGWkCGW9qEZtYb/1qq0oHWL9xT8LAoaSBTzOhvg8DD6MyNQf25Z1fsWGHC f8ohPMbjYvuImK8moQTkyQr8oOWM0wAu0wYIHz7ds2XkdjakEgCx0UIa9Ah19ezE sD9BI/HOV7W19f+N8vcDU4qfr/qNFVh1PEmRR/D6oPnDd9DmlkuEesK+3v5M6nk7 67WXiQ8jMNrj50H2xZHjApwWhaHhkeK3eZMRZOUpkEvIffVlRHPkKA/e+kD3df8e ubR+cwK4m0LYB+wzYJUc22JuCC4WB5incrZ8923kkbLw6STOYarlZEyHScEcAgfN z/cPZgL7vYM8/3FYHJuBzCYC3Wjgm8aP9tQ2M8VhFidQdOfvOPDI2uPzvhDM2CZ8 GUcvHF2JrE5STz2nQvLEbC+b3YKFjPnk1d/HO3CHZmBlK08k+ic=Q/nd -----END PGP SIGNATURE----- . Solution: For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html For Red Hat OpenShift Logging 5.5, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.html 4. JIRA issues fixed (https://issues.jboss.org/): LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types. LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config 6. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 9) - noarch 3. Description: Jackson is a suite of data-processing tools for Java, including the flagship streaming JSON parser / generator library, matching data-binding library, and additional modules to process data encoded in various other data formats. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux AppStream (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ 4

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution, xss

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-02-22T22:58:25.974000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE