-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat support for Spring Boot 2.7.2 update Advisory ID: RHSA-2022:8761-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2022:8761 Issue date: 2022-12-14 CVE Names: CVE-2020-5404 CVE-2021-4178 CVE-2021-22569 CVE-2022-1259 CVE-2022-1319 CVE-2022-22950 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.7.2 serves as a replacement for Red Hat support for Spring Boot 2.5.12, and includes security, bug fixes and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * reactor-netty: specific redirect configuration allows for a credentials leak (CVE-2020-5404) * kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178) * protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569) * undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) (CVE-2022-1259) * undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319) * spring-expression: Denial of service via specially crafted SpEL expression (CVE-2022-22950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1975160 - CVE-2020-5404 reactor-netty: specific redirect configuration allows for a credentials leak 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 5. References: https://access.redhat.com/security/cve/CVE-2020-5404 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2022-1259 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-22950 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.spring.boot&version=2.7.2 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/release_notes_for_spring_boot_2.7/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY5n7DNzjgjWX9erEAQiKPxAAmoYF+t4ACJYF2K5F++ihf3FMAZZFW1uZ O21DM6vLF8Vr0W5R/ySQU3P3bmXj5nL7dxXKsF4qybaUpzRhVztpuMNBxYUTuGC2 NjjrJ3M6a3Kairtf7utXB63qBdWrEAnFm5KOHTkcYMijFxmNgwlA9NyNd3Ogy56U glBojHJDZucexAiEl6XZVY0LcNgFWH6RjTxIsHlZwCGJ53isUGeclAiQqFEhwUAg 5uHa3RGwUr/Qpbqkhg7LOeiWGcthQz+/99A7n/DGgST87IUMFnEUUALiJW3p7v85 2ZAeUFxgjxOCYPPqKV5TDsSxoIn8CROji48Zj4Z+rX5AgiQgTr7qfAwFmGcItuXn z16h9xrng/sGi70nfPpsPwRK8xPkRTKbbUx9QjQhUWz1EROoz6H6/ZmH9Uoyl8p3 xDaSLTixQftyTJiMIldcrqfShlXQ3PIg/fgG1wcmCzh/y2+9Q3yBRO6FGMRpc5vN oE/UkQYoLx70ac9p70cfhJR95KCe36SIOz709ttnJPFhj+VhoMO+P3JCZCMaUutZ 2JU0PWLkI7aDfGJYM9Sdcd2PyWweyQXx7QYcxXd8t2lmnnvwaGd4n7e62ZL5D/go sHPxfngfBG6SYCBnDixpspjFUXa79Xyzcu6jaxKYWJSRu/jHhJcApjWXYedoNl4u m/Y35FxA4Zc=z+xe -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce