Important: Red Hat Process Automation Manager 7.13.4 security update

Topic

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Description

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation Manager 7.

Security Fixes:

• apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
• decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
• mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
• spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
• springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
• loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)
• protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
• snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
• woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
• RESTEasy: creation of insecure temp files (CVE-2023-0482)
• sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)

For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

• BZ - 1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
• BZ - 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
• BZ - 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
• BZ - 2134872 - CVE-2022-37599 loader-utils: regular expression denial of service in interpolateName.js
• BZ - 2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
• BZ - 2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
• BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
• BZ - 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
• BZ - 2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
• BZ - 2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
• BZ - 2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

CVEs

• CVE-2021-30129
• CVE-2022-3171
• CVE-2022-25857
• CVE-2022-37599
• CVE-2022-38900
• CVE-2022-40152
• CVE-2022-42920
• CVE-2022-45047
• CVE-2023-0482
• CVE-2023-20860
• CVE-2023-20883

References

• https://access.redhat.com/security/updates/classification/#important