Home / mailings [RHSA-2023:1006-01] Important: Red Hat build of Quarkus 2.7.7 release and security update
Posted on 09 March 2023
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat build of Quarkus 2.7.7 release and security update
Advisory ID: RHSA-2023:1006-01
Product: Red Hat build of Quarkus
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1006
Issue date: 2023-03-08
CVE Names: CVE-2022-1471 CVE-2022-3171 CVE-2022-31197
CVE-2022-41946 CVE-2022-41966 CVE-2022-42003
CVE-2022-42004 CVE-2022-42889 CVE-2023-0044
=====================================================================
1. Summary:
An update is now available for Red Hat build of Quarkus. Red Hat Product
Security has rated this update as having a security impact of Important. A
Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
2. Description:
This release of Red Hat build of Quarkus 2.7.7 includes security updates,
bug
fixes, and enhancements. For more information, see the release notes page
listed
in the References section.
Security Fix(es):
*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated
which might lead to the Information Disclosure [quarkus-2]
*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc:
PreparedStatement.setText(int, InputStream) will create a temporary file if
the InputStream is larger than 2k [quarkus-2]
*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with
malicious column names [quarkus-2.7]
*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]
*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]
*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation
RCE [quarkus-2.7]
*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution
[quarkus-2]
*CVE-2022-41966 xstream: Denial of Service by injecting recursive
collections or maps based on element's hash values raising a stack overflow
[quarkus-2.7]
*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
2158081 - CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
5. JIRA issues fixed (https://issues.jboss.org/):
QUARKUS-2593 - qpid extension, geronimo-jms_2.0_spec artifacts are not included in maven repo zip
QUARKUS-2705 - Old graal-sdk and nativeimage svm comparing to builder image
QUARKUS-2852 - JReleaser - Specific configuration for maintenance and preview
QUARKUS-2854 - Fix memory leak in Agroal local connection cache for Netty's FastThreadLocalThread
QUARKUS-2855 - Allow CORS same origin requests
QUARKUS-2856 - Handle maintenance releases in release-cli.sh
QUARKUS-2861 - Complete implementation of UriInfoImpl
QUARKUS-2862 - Prevent duplicate HTTP headers when WriterInterceptor is used
QUARKUS-2864 - Fix how certificates are obtained in the RestClient integration tests
QUARKUS-2865 - Remove wrong LANG from dockerfile use parent default
QUARKUS-2866 - Delay initialization of the DefaultChannelId class at runtime
QUARKUS-2867 - Strip debug information from the native executable unconditionally
QUARKUS-2869 - Use proper HttpHeaders FQCN
QUARKUS-2871 - Properly ensure that transfer-encoding is not set when content-length exists
QUARKUS-2872 - Properly initialize elements from the datasource configs
QUARKUS-2873 - Attempt to fix podman DNS issue
QUARKUS-2874 - Clear out OutputStream when a MessageBodyWriter throws an exception
QUARKUS-2876 - Allow to override the Oracle JDBC metadata for native images also on Windows
QUARKUS-2877 - Move excludes for jaeger-thrift to the bom
QUARKUS-2879 - Fix some typos in Maven tooling doc
QUARKUS-2880 - Ensure that File is properly handled in native mode in RESTEasy Reactive
QUARKUS-2882 - Ensure that @WithConverter values work in native mode
QUARKUS-2883 - Provide actionable error message when unable to bind to Unix domain socket
QUARKUS-2884 - Fix the error for non-blocking multipart endpoints
QUARKUS-2885 - List Reactive Oracle Client in Hibernate Reactive guide
QUARKUS-2886 - Fix null query parameter handling in generated RestEasy Reactive clients
QUARKUS-2887 - Podman on Windows needs one /, not two // prefix
QUARKUS-2888 - Allow updating docs for older branches
QUARKUS-2889 - [Guide] fix reactive-sql-clients startup method
QUARKUS-2893 - Normalize uri template name to be a valid regex groupname
QUARKUS-2895 - Support arrays in RESTEasy Reactive Resource methods
6. References:
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-3171
https://access.redhat.com/security/cve/CVE-2022-31197
https://access.redhat.com/security/cve/CVE-2022-41946
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-42889
https://access.redhat.com/security/cve/CVE-2023-0044
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/4966181
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.