[RHSA-2023:3641-01] Important: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Advisory ID:       RHSA-2023:3641-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3641
Issue date:        2023-06-15
CVE Names:         CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 
                   CVE-2022-38751 CVE-2022-38752 CVE-2022-40152 
                   CVE-2022-40156 CVE-2022-41854 CVE-2022-42003 
                   CVE-2022-42004 CVE-2022-45047 CVE-2022-46363 
                   CVE-2022-46364 CVE-2023-1370 CVE-2023-1436 
                   CVE-2023-20883 
=====================================================================

1. Summary:

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now
available.

Red Hat Product Security has rated this update as having an impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for
Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements,
which are documented in the Release Notes linked in the References. The
purpose of this text-only errata is to inform you about the security issues
fixed.

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40156)

* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow
(CVE-2022-41854)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)

* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match
(CVE-2022-38751)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)

* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-38749
https://access.redhat.com/security/cve/CVE-2022-38750
https://access.redhat.com/security/cve/CVE-2022-38751
https://access.redhat.com/security/cve/CVE-2022-38752
https://access.redhat.com/security/cve/CVE-2022-40152
https://access.redhat.com/security/cve/CVE-2022-40156
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZItdGNzjgjWX9erEAQhc7A/+PfKtOHtO40HR87HLkZdBROVscSVLLgYJ
y0yTSOnpx2ccBCkpvEA6+7nzu8l3IZFrmAuSkzMJN84oWVyrzRi+BcrAfAB0J7Il
ItShHVcEJvSzNDrDb9BZ37awga9w/rEkx6h8DwdItClBIlGyaTHhL7dF1XrWSbti
1Nes6J/FSTVjiW7PDbjb3IL9wB6NAkU+X0vJaOn9DWiInOiAlttaxdupy4GfwO7c
5tg4po/h2IxCcz7TEHri+Oiyucc014cedEeSizguKqYs16rspagFZGYcM460Qrg/
cYRPU6NwcYc/tfDubiWle3U7hYbzmY6+DffVS9ksTXz66W2jwWkn1SRJTnk4RsC8
hWnbxkYcPL24T3gCivZyrRgIX3VDi3RNRR7aYzNR+fWi790noi4Zz0smnO95w2XA
vyfIRZLfCsgWnKPWo2E8tzanm3jfyorpBao6HvMeKcFhfPFV7Y8ERDNDoS7huU4H
67NWwTThGGNawChpLxCOkhaIB/tPMAU9EulswBZbRpRXWXaTG8+/OCGO4dZ3x+Wq
RKybaXvqhIFFITP4gu5XraX/Y/ZbxRi9Qp0w7L0X3lvDE8GQqu2rZ2nSh9oRRKJE
g7/7LGWtHMS8GfcvnBdlbl1a4NXKLkfLZjaZytAjoj9Yr2A8blAIe8fjRpan8Xmq
s4LHK2NgW6M=
=jD7D
-----END PGP SIGNATURE-----