ID

VAR-202203-1400

CVE

CVE-2020-36518

TITLE

Red Hat Security Advisory 2022-5596-01

DESCRIPTION

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. For more information, see the release notes page listed in the References section. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. LOG-3252 - [release-5.4]Adding Valid Subscription Annotation 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift (Logging Subsystem) security update Advisory ID: RHSA-2023:0264-01 Product: Logging Subsystem for Red Hat OpenShift Advisory URL: https://access.redhat.com/errata/RHSA-2023:0264 Issue date: 2023-01-19 CVE Names: CVE-2020-36518 CVE-2022-2879 CVE-2022-2880 CVE-2022-27664 CVE-2022-32190 CVE-2022-37601 CVE-2022-41715 CVE-2022-42003 CVE-2022-42004 ===================================================================== 1. Summary: An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Logging Subsystem 5.6.0 - Red Hat OpenShift * logging-view-plugin-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601) * logging-elasticsearch6-container: jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880 CVE-2022-41715) * logging-loki-container: golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190) * org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested arrays (CVE-2022-42004) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2217 - [Vector] Loss of logs when using Vector as collector. LOG-2620 - containers violate PodSecurity -- Core LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO" LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409) LOG-2962 - Add the `version` file to Must-Gather archive LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage LOG-3129 - Kibana Authentication Exception cookie issue LOG-3157 - Resources associated with collector / fluentd keep on getting recreated LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12 LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12. LOG-3195 - [Vector] logs parsed into structured when json is set without structured types. LOG-3208 - must-gather is empty for logging with CLO image LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector. LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config. LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy LOG-3296 - Cannot use default Replication Factor for shirt size LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging. 6. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-37601 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY8lxEdzjgjWX9erEAQhoGg/+OiJ2IFsII+q6Wfgq/ydTYUEsXtJ/Nn8V GZrM9nVfOSa4HIwWytNHtPyuKqEUy2sZ8WIlXXZNfB/0Nxavpj/F0Dv0TESn4DT9 Og+Dhb/ix4vFsWWy15E8yUNJQREpJb55Ita1tqTfVMZryZ8jbp2FPuUSzt3RSmnM ymNnacKEsDUBrEP3PPRCoXmRSZf8XgLAD4NyJCXmebdEjhT21C/m0jpnElHoCs2i jlzzW7UhWc7ENVly5RoEKPP4rvSOX+0Hay4mQNYOLaNkBkaBz4bod+feI8ros2iy UZ5ln4kBhNJ6XSqOValOU9+OkTGbEmRqymUW/x2GLucwD6ATsRjoM6YdE8aZuavW h3fMIREQ+VM693fKahVwQjc3dnK5dtICi0kaPKTaSbhnwa2iXQTu/6JXssSwZWEj hBpmQpda58v6nBb3ykaEd1JshXIzueuNUG1gH1xsAhoKb/KAPZpl9rMQrJejHBKl wYS8MlO2aDIJ8zjLKqrVXndgJJEy6KHJLCeGhaWV6W8YAvcYv3zQbjSTwTMeftbu eIMMqnhhfxj56qgaYqmVU4sL3pnApS8ZfBRuz6tYh02w5/1OE7ad47mSSrsl36cH 45oRaogk2F0sbbr/u3f74ffKXPUfdtTQGrrisodOxxnJQPKTThB8/y9Zr2UF2LPR UWAAu0JN5A0= =O7hQ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security Fix(es): * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * h2: Remote Code Execution in Console (CVE-2021-42392) * netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797) * xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084) * keycloak: Stored XSS in groups dropdown (CVE-2022-0225) * wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866) * keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console (CVE-2022-2668) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039403 - CVE-2021-42392 h2: Remote Code Execution in Console 2040268 - CVE-2022-0225 keycloak: Stored XSS in groups dropdown 2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2115392 - CVE-2022-2668 keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console 6. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Security Fix(es): * scala: deserialization gadget chain (CVE-2022-36944) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * netty: world readable temporary file containing sensitive data (CVE-2022-24823) * jettison: parser crash by stackoverflow (CVE-2022-40149) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833) * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. JIRA issues fixed (https://issues.jboss.org/): ENTMQST-4107 - [KAFKA] MM2 connector task stopped and didn?t result in failed state ENTMQST-4541 - [PROD] Create RHSA erratum for Streams 2.4.0 6. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Security Fix(es): * fastjson (CVE-2022-25845) * jackson-databind (CVE-2020-36518) * mysql-connector-java (CVE-2021-2471, CVE-2022-21363) * undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319) * wildfly-elytron (CVE-2021-3642) * nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807) * 3 qt (CVE-2021-3859) * kubernetes-client (CVE-2021-4178) * spring-security (CVE-2021-22119) * protobuf-java (CVE-2021-22569) * google-oauth-client (CVE-2021-22573) * XStream (CVE-2021-29505, CVE-2021-43859) * jdom (CVE-2021-33813, CVE-2021-33813) * apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090) * Kafka (CVE-2021-38153) * xml-security (CVE-2021-40690) * logback (CVE-2021-42550) * netty (CVE-2021-43797) * xnio (CVE-2022-0084) * jdbc-postgresql (CVE-2022-21724) * spring-expression (CVE-2022-22950) * springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096, CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978) * h2 (CVE-2022-23221) * junrar (CVE-2022-23596) * artemis-commons (CVE-2022-23913) * elasticsearch (CVE-2020-7020) * tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122, CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340, CVE-2022-23181) * junit4 (CVE-2020-15250) * wildfly-core (CVE-2020-25689, CVE-2021-3644) * kotlin (CVE-2020-29582) * karaf (CVE-2021-41766, CVE-2022-22932) * Spring Framework (CVE-2022-22968) * metadata-extractor (CVE-2022-24614) * poi-scratchpad (CVE-2022-26336) * postgresql-jdbc (CVE-2022-26520) * tika-core (CVE-2022-30126) For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller 1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure 1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2046279 - CVE-2022-22932 karaf: path traversal flaws 2046282 - CVE-2021-41766 karaf: insecure java deserialization 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting 2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part 2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution, xss

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-07T20:12:35.748000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE