-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.7.13 security update Advisory ID: RHSA-2023:4612-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2023:4612 Issue date: 2023-08-16 CVE Names: CVE-2021-46877 CVE-2022-1471 CVE-2022-31684 CVE-2022-45143 CVE-2023-1108 CVE-2023-20860 CVE-2023-20861 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.7.13 serves as a replacement for Red Hat support for Spring Boot 2.7.12, and includes security, bug fixes and enhancements. For more information, see the release notes linked in the References section. Security Fix(es): * snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) * jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * reactor-netty-http: Log request headers in some cases of invalid HTTP requests (CVE-2022-31684) * tomcat: JsonErrorReportValve injection (CVE-2022-45143) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2141353 - CVE-2022-31684 reactor-netty-http: Log request headers in some cases of invalid HTTP requests 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection 2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern 2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode 5. References: https://access.redhat.com/security/cve/CVE-2021-46877 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-31684 https://access.redhat.com/security/cve/CVE-2022-45143 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/release_notes_for_spring_boot_2.7/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJk3NshAAoJENzjgjWX9erEZMcQAJI0PVt/9Ae/5MWvXTpUf53E H41TjbqCgcCXZIqE7HEF5a1zEZChLyzMVtLwNg9FnbCyH491RjCvIqH0kOo7rP9u asZ2kFznygvI9fvyjO0DKT47XEgS8umWLGsl2tGf62fC16RYKwN0TVzS/bf7yfAm zOR162OXdNYO6UGKp+7eu3JVDbwTIkvHIwBa7s1QTZU9SVsStGYmb08hf5zogLHR moO+pzZNnOaPQPZxHwdA/xG236Wu+5U0ybjweCBHxg6dHw2/LmZfx4sNOnE2VY5U rdqvj4Kv/Z32C+h0RklQOqiv0OCDxBjfd7e/y4YCWVywRWmiSv2ccgp5ICpMN6eq b5hNmouFYYnfalf6jYTABF0UaZ6v5zqiByZKs4GkbdnJOicLyaNUJXhsRKAXsawt fY9Ildy+WfKaKQFBWh9mFkT+Kj5bz+dd6/g1KFjV8DY2wk8UJ80Xkp36BEBl0DNg YQcdt/CRUhjuHzbrM94nk4bUfSWZgjw+qPhTKhL2jzW83jtS4SGtfvKkgiLm7si/ djdrpLljF2iAH4LwuOrtG/s8EEBZARt6HLsGBBejo2Rskvb5/rsyrFaxVL28kkUw hFZi/tQ/L+oyEjewln+dE3YWKEUx5yHA9taYCfPQ3/wgz65an4yg4b18coIQLxmS q5vEHlEv72kvu+tfUh3r =asIM -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce