Red Hat Security Advisory: Red Hat Process Automation Manager 7.12.0 security update
🔗 CVE IDs covered (18)
📋 Description
CVE-2020-28491 — jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception CVE-2021-20218 — fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise CVE-2021-29505 — XStream: remote command execution attack by manipulating the processed input stream CVE-2021-39139 — xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl CVE-2021-39140 — xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler CVE-2021-39141 — xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* CVE-2021-39144 — xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* CVE-2021-39145 — xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration CVE-2021-39146 — xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue CVE-2021-39147 — xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration CVE-2021-39148 — xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator CVE-2021-39149 — xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* CVE-2021-39150 — xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* CVE-2021-39151 — xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration CVE-2021-39152 — xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData CVE-2021-39153 — xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl CVE-2021-39154 — xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue CVE-2021-44228 — log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
🔗 References (21)
- selfhttps://access.redhat.com/errata/RHSA-2022:0296
- externalhttps://access.redhat.com/security/updates/classification/#critical
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1923405
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1930423
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1966735
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997763
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997765
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997769
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997772
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997775
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997777
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997779
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997781
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997784
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997786
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997791
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997793
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997795
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1997801
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2030932
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_0296.json