-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update Advisory ID: RHSA-2023:5441-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2023:5441 Issue date: 2023-10-04 CVE Names: CVE-2022-44729 CVE-2022-44730 CVE-2022-46751 CVE-2023-26048 CVE-2023-26049 CVE-2023-33008 CVE-2023-34462 CVE-2023-40167 ==================================================================== 1. Summary: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Integration Camel for Spring Boot 4.0.0 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. * batik: Server-Side Request Forgery vulnerability (CVE-2022-44729) * batik: Server-Side Request Forgery vulnerability (CVE-2022-44730) * apache-ivy: XML External Entity vulnerability (CVE-2022-46751) * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048) * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049) * apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale (CVE-2023-33008) * netty: io.netty:netty-handler: SniHandler 16MB allocation (CVE-2023-34462) * jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM 2221135 - CVE-2023-33008 apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale 2233112 - CVE-2022-46751 apache-ivy: XML External Entity vulnerability 2233889 - CVE-2022-44729 batik: Server-Side Request Forgery vulnerability 2233899 - CVE-2022-44730 batik: Server-Side Request Forgery vulnerability 2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() 2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies 2239634 - CVE-2023-40167 jetty: Improper validation of HTTP/1 content-length 5. References: https://access.redhat.com/security/cve/CVE-2022-44729 https://access.redhat.com/security/cve/CVE-2022-44730 https://access.redhat.com/security/cve/CVE-2022-46751 https://access.redhat.com/security/cve/CVE-2023-26048 https://access.redhat.com/security/cve/CVE-2023-26049 https://access.redhat.com/security/cve/CVE-2023-33008 https://access.redhat.com/security/cve/CVE-2023-34462 https://access.redhat.com/security/cve/CVE-2023-40167 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version 23-Q4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJlHYSlAAoJENzjgjWX9erEY5sP/2dMIE7R17o8VqlZdqqId2PD m7WiE/9WiEgtKr7540nykn3dMB8wt5IrAan7UhCQ60S2Q+xtlXKRsTxKWxmOtp/F cyOUufeXQsnl0hF68sBrTKgUKYzmOnsUSQXOnF8Hq9jgRPcDhq288F3T60cJZk3o mkibHlqe+1Gbr7rzeDtmdCiqDhlWSoTRgy9Q1xGVubica8sXhelc430Fm11pLms1 CzY6VXxD6t1WRnJ7k//pPVguqGsZytLBPlLclsFXa9CG4fNaN/m2jCncLEuaOZxN K5Ap6IGTqUow2dzY4N4k0v6V24srZtSFt+dFknwrjSaUeEl0p8H6wl11UJrW3DL5 1IizSST8NXrd783a1pqNTKD5iwgJ/94jpm673kzDxDZCoueFbc1ER/YOtQg5bCAd nzdormAVtnOBIzwVUi4l0l5bk0BMtfD0E8xHZeN502DJfAABZH27D3r7LnOgyXkj MjoMmMRtAl4xKeH3GlM1fyIYu3jHSsrId9ykTEZwvlegtFIKSTUF0/Znz7pSfO/w eMIvqinTX/rZ6Wjy4ENntMFvpFDkTastJLrsKmeSm+/mV44l9v76m/Oylsro/ui2 b9IuKcyJW2WGEosT++VUpgMrdJ8BWhBfirGpa1rh4fRQDh4NlB7VjiXwccHbEH2A lVwPfcWEn2MqKPtlx/vU =0Oie -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce