RHSA-2022:6835 - Important: Service Registry (container images) release and security update [2.3.0.GA]

RHSA-2022:6835: Important: Service Registry (container images) release and security update [2.3.0.GA]

Published Oct 6, 2022

Updated

This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes.Security Fix(es): cron-utils: template Injection leading to unauthenticated Remote Code Execution (CVE-2021-41269) prismjs: improperly escaped output allows a XSS (CVE-2022-23647) snakeyaml: Denial of Service due missing to nested depth limitation for collections (CVE-2022-25857) moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569) quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus (CVE-2022-0981) quarkus-jdbc-postgresql-deployment: jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes (CVE-2022-21724) netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability (CVE-2022-26520) node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery (CVE-2022-24771) node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery (CVE-2022-24772) node-forge: Signature verification leniency in checking `DigestInfo` structure (CVE-2022-24773) com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647) terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858) graphql-java: DoS by malicious query (CVE-2022-37734) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Software

1 affected component

Red Hat Integration - Service Registry

Remediation

Event History

Oct 6, 2022

Advisory Published

12:00 AM

Data Sourced

12:00 AM

RemedyDescriptionAffected Software

Frequently Asked Questions

What is the severity of RHSA-2022:6835?

RHSA-2022:6835 is classified with a high severity due to potential unauthenticated remote code execution vulnerabilities.

How do I fix RHSA-2022:6835?

To fix RHSA-2022:6835, upgrade your Red Hat Integration - Service registry to version 2.3.0.GA or later.

What vulnerabilities are addressed in RHSA-2022:6835?

RHSA-2022:6835 addresses vulnerabilities including CVE-2021-41269 which affects cron-utils, allowing template injection and remote code execution.

Which software versions are affected by RHSA-2022:6835?

RHSA-2022:6835 affects Red Hat Integration - Service registry versions prior to 2.3.0.GA.

Is RHSA-2022:6835 a critical update?

RHSA-2022:6835 is considered a critical update due to the potential impact of the vulnerabilities it addresses.