RHSA-2023:0471: Important: Migration Toolkit for Runtimes security update
Security Fix(es): jib-core: RCE via the isDockerInstalled (CVE-2022-25914) Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920) nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517) loader-utils: Regular expression denial of service (CVE-2022-37603) jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) jackson-databind: use of deeply nested arrays (CVE-2022-42004) For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage listed in the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What security fixes are included in RHSA-2023:0471?
RHSA-2023:0471 includes security fixes for remote code execution in jib-core, arbitrary bytecode production in Apache-Commons-BCEL, and regular expression denial of service in nodejs-minimatch.
How do I address vulnerability CVE-2022-25914 in RHSA-2023:0471?
To address CVE-2022-25914, ensure that you update your jib-core package to the latest version provided in RHSA-2023:0471.
What is the risk associated with CVE-2022-42920 in RHSA-2023:0471?
CVE-2022-42920 poses a risk of arbitrary bytecode execution due to out-of-bounds writing in Apache-Commons-BCEL, which can lead to serious security vulnerabilities.
How can I mitigate the ReDoS vulnerability described in CVE-2022-3517 from RHSA-2023:0471?
To mitigate CVE-2022-3517, you should update the nodejs-minimatch package to the patched version included in RHSA-2023:0471.
How can I find the affected software for RHSA-2023:0471?
The affected software for RHSA-2023:0471 can be found in the update advisory released by Red Hat, detailing which products and versions are impacted.