Important: Red Hat build of Quarkus 2.7.7 release and security update

Topic

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.

Security Fix(es):

• CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]
• CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]
• CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]
• CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]
• CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]
• CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]
• CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]
• CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]
• CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Build of Quarkus Text-Only Advisories x86_64

Fixes

• BZ - 2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
• BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
• BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
• BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
• BZ - 2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
• BZ - 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
• BZ - 2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
• BZ - 2158081 - CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure
• BZ - 2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
• QUARKUS-2593 - qpid extension, geronimo-jms_2.0_spec artifacts are not included in maven repo zip
• QUARKUS-2705 - Old graal-sdk and nativeimage svm comparing to builder image
• QUARKUS-2852 - JReleaser - Specific configuration for maintenance and preview
• QUARKUS-2854 - Fix memory leak in Agroal local connection cache for Netty's FastThreadLocalThread
• QUARKUS-2855 - Allow CORS same origin requests
• QUARKUS-2856 - Handle maintenance releases in release-cli.sh
• QUARKUS-2861 - Complete implementation of UriInfoImpl
• QUARKUS-2862 - Prevent duplicate HTTP headers when WriterInterceptor is used
• QUARKUS-2864 - Fix how certificates are obtained in the RestClient integration tests
• QUARKUS-2865 - Remove wrong LANG from dockerfile use parent default
• QUARKUS-2866 - Delay initialization of the DefaultChannelId class at runtime
• QUARKUS-2867 - Strip debug information from the native executable unconditionally
• QUARKUS-2869 - Use proper HttpHeaders FQCN
• QUARKUS-2871 - Properly ensure that transfer-encoding is not set when content-length exists
• QUARKUS-2872 - Properly initialize elements from the datasource configs
• QUARKUS-2873 - Attempt to fix podman DNS issue
• QUARKUS-2874 - Clear out OutputStream when a MessageBodyWriter throws an exception
• QUARKUS-2876 - Allow to override the Oracle JDBC metadata for native images also on Windows
• QUARKUS-2877 - Move excludes for jaeger-thrift to the bom
• QUARKUS-2879 - Fix some typos in Maven tooling doc
• QUARKUS-2880 - Ensure that File is properly handled in native mode in RESTEasy Reactive
• QUARKUS-2882 - Ensure that @WithConverter values work in native mode
• QUARKUS-2883 - Provide actionable error message when unable to bind to Unix domain socket
• QUARKUS-2884 - Fix the error for non-blocking multipart endpoints
• QUARKUS-2885 - List Reactive Oracle Client in Hibernate Reactive guide
• QUARKUS-2886 - Fix null query parameter handling in generated RestEasy Reactive clients
• QUARKUS-2887 - Podman on Windows needs one /, not two // prefix
• QUARKUS-2888 - Allow updating docs for older branches
• QUARKUS-2889 - [Guide] fix reactive-sql-clients startup method
• QUARKUS-2893 - Normalize uri template name to be a valid regex groupname
• QUARKUS-2895 - Support arrays in RESTEasy Reactive Resource methods

CVEs

• CVE-2022-1471
• CVE-2022-3171
• CVE-2022-31197
• CVE-2022-41946
• CVE-2022-41966
• CVE-2022-42003
• CVE-2022-42004
• CVE-2022-42889
• CVE-2023-0044

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/articles/4966181
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7