Details of VAR-202203-1400

ID

VAR-202203-1400

CVE

CVE-2020-36518

TITLE

Red Hat Security Advisory 2022-5101-01

Trust: 0.1

sources: PACKETSTORM: 167523

DESCRIPTION

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. For further information, refer to the release notes linked to in the References section. The References section of this erratum contains a download link (you must log in to download the update). Bugs fixed (https://bugzilla.redhat.com/): 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties 2028254 - CVE-2021-4040 AMQ Broker: Malformed message can result in partial DoS (OOM) 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2089406 - CVE-2022-1833 amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure 5. Description: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7 Advisory ID: RHSA-2022:4918-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:4918 Issue date: 2022-06-06 CVE Names: CVE-2020-36518 CVE-2021-37136 CVE-2021-37137 CVE-2021-42392 CVE-2021-43797 CVE-2022-0084 CVE-2022-0853 CVE-2022-0866 CVE-2022-1319 CVE-2022-21299 CVE-2022-21363 CVE-2022-23221 CVE-2022-23437 CVE-2022-23913 CVE-2022-24785 ==================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * h2: Remote Code Execution in Console (CVE-2021-42392) * netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797) * xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084) * wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866) * undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319) * OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299) * mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363) * xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437) * artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * jboss-client: memory leakage in remote client transaction (CVE-2022-0853) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039403 - CVE-2021-42392 h2: Remote Code Execution in Console 2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction 2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23120 - Tracker bug for the EAP 7.4.5 release for RHEL-7 JBEAP-23171 - (7.4.z) Upgrade HAL from 3.3.9.Final-redhat-00001 to 3.3.12.Final-redhat-00001 JBEAP-23194 - Upgrade hibernate-validator from 6.0.22.Final-redhat-00002 to 6.0.23-redhat-00001 JBEAP-23241 - [GSS](7.4.z) Upgrade jberet from 1.3.9 to 1.3.9.SP1 JBEAP-23299 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00034 to 2.16.0.redhat-00042 JBEAP-23300 - [GSS](7.4.z) Upgrade JBoss Remoting from 5.0.23.SP1 to 5.0.24.SP1 JBEAP-23312 - (7.4.z) Upgrade WildFly Core from 15.0.8.Final-redhat-00001 to 15.0.12.Final-redhat-00001 JBEAP-23313 - (7.4.z) Upgrade Elytron from 1.15.11.Final-redhat-00002 to 1.15.12.Final-redhat-00001 JBEAP-23336 - (7.4.z) Upgrade Hibernate ORM from 5.3.25.Final-redhat-00002 to 5.3.26.Final-redhat-00002 JBEAP-23338 - [GSS](7.4.z) Upgrade Undertow from 2.2.16 to 2.2.17.SP3 JBEAP-23339 - [GSS](7.4.z) Upgrade wildfly-http-ejb-client from 1.1.10 to 1.1.11.SP1 JBEAP-23351 - (7.4.z) Upgrade org.apache.logging.log4j from 2.17.1.redhat-00001 to 2.17.1.redhat-00002 JBEAP-23353 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.14.Final-redhat-00001 to 1.1.15.Final-redhat-x JBEAP-23429 - [PM](7.4.z) JDK17 Update Tested Configurations page and make note in Update release notes JBEAP-23432 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP04 to 3.0.0.SP05 JBEAP-23451 - [PST] (7.4.z) Upgrade to FasterXML Jackson to 2.12.6.redhat-00001 and Jackson Databind to 2.12.6.1.redhat-00003 JBEAP-23531 - [GSS](7.4.z) Upgrade Undertow from 2.2.17.SP3 to 2.2.17.SP4 JBEAP-23532 - (7.4.z) Upgrade WildFly Core from 15.0.12.Final-redhat-00001 to 15.0.13.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.4 for RHEL 7 Server: Source: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.src.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.src.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.src.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.src.rpm eap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.src.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.src.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.src.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.src.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.src.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.11-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.src.rpm noarch: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.noarch.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-core-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-envers-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-java8-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.noarch.rpm eap7-jackson-datatype-jdk8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-datatype-jsr310-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jberet-core-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.noarch.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.noarch.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.noarch.rpm x86_64: eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-0853 https://access.redhat.com/security/cve/CVE-2022-0866 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-23221 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYp5qBdzjgjWX9erEAQgudg/+KIuaXQZawyOnSNF4IIR8WYnfcW8Ojsfk 27VFNY6WCSn07IkzyDFuCLHsmUEesiJvpYssOx4CuX1YEmlF7S/KepyI6QDVC+BV hFAfaVE1gdrny1sqaS8k4VFE9rHODML1q2yyeUNgdtL4YGdOeduqOEn6Q6GS/rvh +8vCZFkFb9QKxxItc1xvxvU8kAomQun+eqr040IHuF0jAZfLI18/5vzsPqeQG+Ua qU4CG5FucVytEkJCnQ8Ci3QH3FCm/BPqotyhO3OAi1b5+db+fT+UqJpiuHYCsPcQ 8DRKizi/ia6Rq5b/OTFodA8lo6U3nDIljJ7QcuADgGzX4fak+BxQNkQMfhS4/b01 /yFU034PmQBTJpm0r5Vb4V4lBWzAi5QMDttI4wncuM3VGbxSoEEXzdzFHVzgoy1r qDGfJ1C5VnSJeLawDa6tGyndBiVga/PPgx0CoSIPsAYnjXYfJM1DsohUXppTL1k+ z8W2UIoIGqycYdCm60uJ+qbzqLlODNXmXn154OJL3O/o6Nz7O+uqVt+WfaNnwO/Y wf85wHGjzLaOALZfly/fENQr5Aijb9WqavN3tbcipj6+F4D3OLJMOSap8+TOXF3C StEX/XQpQASMmemvHJr/8c9Fx6tumJ+hLI4EyXfNdlYFJFQY4l4J0X6+mH047B3G R+RN8v8nzXQ{m6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Logging Subsystem 5.6.0 - Red Hat OpenShift * logging-view-plugin-container: loader-utils: prototype pollution in function parseQuery in parseQuery.js (CVE-2022-37601) * logging-elasticsearch6-container: jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880 CVE-2022-41715) * logging-loki-container: golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190) * org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested arrays (CVE-2022-42004) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2217 - [Vector] Loss of logs when using Vector as collector. LOG-2620 - containers violate PodSecurity -- Core LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO" LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409) LOG-2962 - Add the `version` file to Must-Gather archive LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage LOG-3129 - Kibana Authentication Exception cookie issue LOG-3157 - Resources associated with collector / fluentd keep on getting recreated LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12 LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12. LOG-3195 - [Vector] logs parsed into structured when json is set without structured types. LOG-3208 - must-gather is empty for logging with CLO image LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector. LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config. LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy LOG-3296 - Cannot use default Replication Factor for shirt size LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging. The following advisory data is extracted from: https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3061.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment

Trust: 1.8

sources: NVD: CVE-2020-36518 // VULHUB: VHN-415522 // PACKETSTORM: 167523 // PACKETSTORM: 168621 // PACKETSTORM: 167423 // PACKETSTORM: 170602 // PACKETSTORM: 178714 // PACKETSTORM: 169728 // PACKETSTORM: 169727 // PACKETSTORM: 169725 // PACKETSTORM: 170179

AFFECTED PRODUCTS

vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	gte	version:	17.12.0.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	17.12.11	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	19.12.13	Trust: 1.0
vendor:	oracle	model:	sd-wan edge	scope:	eq	version:	9.1	Trust: 1.0
vendor:	oracle	model:	utilities framework	scope:	eq	version:	4.4.0.3.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network repository function	scope:	eq	version:	22.2.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	8.1.2.0	Trust: 1.0
vendor:	netapp	model:	oncommand workflow automation	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	lte	version:	17.12.20.4	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	18.0	Trust: 1.0
vendor:	oracle	model:	financial services crime and compliance management studio	scope:	eq	version:	8.0.8.3.0	Trust: 1.0
vendor:	oracle	model:	global lifecycle management nextgen oui framework	scope:	eq	version:	13.9.4.2.2	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.4.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	20.12	Trust: 1.0
vendor:	oracle	model:	big data spatial and graph	scope:	lt	version:	23.1	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	lte	version:	8.1.2.1	Trust: 1.0
vendor:	oracle	model:	communications cloud native core console	scope:	eq	version:	1.9.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.8.1	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.59	Trust: 1.0
vendor:	oracle	model:	sd-wan edge	scope:	eq	version:	9.0	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	gte	version:	8.1.1.0	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	lte	version:	19.12.19.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core security edge protection proxy	scope:	eq	version:	22.1.1	Trust: 1.0
vendor:	oracle	model:	financial services trade-based anti money laundering	scope:	eq	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	health sciences empirica signal	scope:	eq	version:	9.1.0.5.2	Trust: 1.0
vendor:	oracle	model:	communications cloud native core service communication proxy	scope:	eq	version:	22.2.0	Trust: 1.0
vendor:	oracle	model:	commerce platform	scope:	eq	version:	11.3.1	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.0.8	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	gte	version:	18.8.0.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	21.12	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	eq	version:	8.0.7.0.0	Trust: 1.0
vendor:	oracle	model:	utilities framework	scope:	eq	version:	4.3.0.5.0	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	gte	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	utilities framework	scope:	eq	version:	4.3.0.6.0	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	gte	version:	20.12.0.0	Trust: 1.0
vendor:	oracle	model:	financial services behavior detection platform	scope:	lte	version:	8.1.2.1	Trust: 1.0
vendor:	netapp	model:	snap creator framework	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	commerce platform	scope:	eq	version:	11.3.0	Trust: 1.0
vendor:	oracle	model:	global lifecycle management nextgen oui framework	scope:	lt	version:	13.9.4.2.2	Trust: 1.0
vendor:	oracle	model:	financial services crime and compliance management studio	scope:	eq	version:	8.0.8.2.0	Trust: 1.0
vendor:	oracle	model:	global lifecycle management opatch	scope:	lt	version:	12.2.0.1.30	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	8.1.1.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	21.12.1	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	lte	version:	18.8.25.4	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	17.12.0	Trust: 1.0
vendor:	oracle	model:	communications billing and revenue management	scope:	lte	version:	12.0.0.6.0	Trust: 1.0
vendor:	fasterxml	model:	jackson-databind	scope:	gte	version:	2.13.0	Trust: 1.0
vendor:	oracle	model:	utilities framework	scope:	eq	version:	4.4.0.5.0	Trust: 1.0
vendor:	oracle	model:	communications billing and revenue management	scope:	gte	version:	12.0.0.4.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network slice selection function	scope:	eq	version:	22.1.0	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	lte	version:	21.12.4.0	Trust: 1.0
vendor:	oracle	model:	weblogic server	scope:	eq	version:	14.1.1.0.0	Trust: 1.0
vendor:	netapp	model:	cloud insights acquisition unit	scope:	eq	version:	-	Trust: 1.0
vendor:	fasterxml	model:	jackson-databind	scope:	lt	version:	2.13.2.1	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	19.12.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network slice selection function	scope:	eq	version:	22.1.1	Trust: 1.0
vendor:	oracle	model:	spatial studio	scope:	lt	version:	20.1.0	Trust: 1.0
vendor:	oracle	model:	financial services trade-based anti money laundering	scope:	eq	version:	8.0.7	Trust: 1.0
vendor:	oracle	model:	communications cloud native core binding support function	scope:	eq	version:	22.1.3	Trust: 1.0
vendor:	oracle	model:	utilities framework	scope:	eq	version:	4.4.0.2.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	18.8.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	gte	version:	8.1.1.0	Trust: 1.0
vendor:	oracle	model:	retail sales audit	scope:	eq	version:	15.0.3.1	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	gte	version:	17.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.7.2	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	lte	version:	8.1.0.0	Trust: 1.0
vendor:	netapp	model:	oncommand insight	scope:	eq	version:	-	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	oracle	model:	commerce platform	scope:	eq	version:	11.3.2	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.8.0	Trust: 1.0
vendor:	oracle	model:	financial services enterprise case management	scope:	eq	version:	8.0.7.1	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	21.12.0	Trust: 1.0
vendor:	fasterxml	model:	jackson-databind	scope:	lt	version:	2.12.6.1	Trust: 1.0
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	8.1.2.1	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	lte	version:	17.12	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	20.12.18	Trust: 1.0
vendor:	netapp	model:	active iq unified manager	scope:	eq	version:	-	Trust: 1.0
vendor:	oracle	model:	utilities framework	scope:	eq	version:	4.4.0.0.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	gte	version:	20.12.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core unified data repository	scope:	eq	version:	22.2.0	Trust: 1.0
vendor:	oracle	model:	graph server and client	scope:	lt	version:	22.2.0	Trust: 1.0
vendor:	oracle	model:	primavera unifier	scope:	eq	version:	19.12	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	11.0	Trust: 1.0
vendor:	oracle	model:	communications cloud native core network repository function	scope:	eq	version:	22.1.2	Trust: 1.0
vendor:	oracle	model:	coherence	scope:	eq	version:	14.1.1.0.0	Trust: 1.0
vendor:	oracle	model:	primavera gateway	scope:	lte	version:	18.8.14	Trust: 1.0
vendor:	oracle	model:	peoplesoft enterprise peopletools	scope:	eq	version:	8.58	Trust: 1.0
vendor:	oracle	model:	primavera p6 enterprise project portfolio management	scope:	gte	version:	19.12.0	Trust: 1.0

sources: NVD: CVE-2020-36518

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-36518
value:	HIGH
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2020-36518
value:	HIGH
Trust: 1.0
VULHUB:	VHN-415522
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-36518
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-415522
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-36518
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0

sources: VULHUB: VHN-415522 // NVD: CVE-2020-36518 // NVD: CVE-2020-36518

PROBLEMTYPE DATA

problemtype:

CWE-787

Trust: 1.1

sources: VULHUB: VHN-415522 // NVD: CVE-2020-36518

TYPE

code execution, xss

Trust: 0.4

sources: PACKETSTORM: 168621 // PACKETSTORM: 169728 // PACKETSTORM: 169727 // PACKETSTORM: 169725

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-415522

EXTERNAL IDS

db:	NVD	id:	CVE-2020-36518	Trust: 2.0
db:	PACKETSTORM	id:	170179	Trust: 0.2
db:	PACKETSTORM	id:	169728	Trust: 0.2
db:	PACKETSTORM	id:	170602	Trust: 0.2
db:	PACKETSTORM	id:	169725	Trust: 0.2
db:	PACKETSTORM	id:	169727	Trust: 0.2
db:	PACKETSTORM	id:	167423	Trust: 0.2
db:	PACKETSTORM	id:	167523	Trust: 0.2
db:	PACKETSTORM	id:	168646	Trust: 0.1
db:	PACKETSTORM	id:	169920	Trust: 0.1
db:	PACKETSTORM	id:	168333	Trust: 0.1
db:	PACKETSTORM	id:	167842	Trust: 0.1
db:	PACKETSTORM	id:	167841	Trust: 0.1
db:	PACKETSTORM	id:	170162	Trust: 0.1
db:	PACKETSTORM	id:	167579	Trust: 0.1
db:	PACKETSTORM	id:	167157	Trust: 0.1
db:	PACKETSTORM	id:	169926	Trust: 0.1
db:	PACKETSTORM	id:	169729	Trust: 0.1
db:	PACKETSTORM	id:	167422	Trust: 0.1
db:	PACKETSTORM	id:	168631	Trust: 0.1
db:	PACKETSTORM	id:	167424	Trust: 0.1
db:	VULHUB	id:	VHN-415522	Trust: 0.1
db:	PACKETSTORM	id:	168621	Trust: 0.1
db:	PACKETSTORM	id:	178714	Trust: 0.1

sources: VULHUB: VHN-415522 // PACKETSTORM: 167523 // PACKETSTORM: 168621 // PACKETSTORM: 167423 // PACKETSTORM: 170602 // PACKETSTORM: 178714 // PACKETSTORM: 169728 // PACKETSTORM: 169727 // PACKETSTORM: 169725 // PACKETSTORM: 170179 // NVD: CVE-2020-36518

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20220506-0004/	Trust: 1.1
url:	https://www.debian.org/security/2022/dsa-5283	Trust: 1.1
url:	https://github.com/fasterxml/jackson-databind/issues/2816	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2022.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2022.html	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html	Trust: 1.1
url:	https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36518	Trust: 0.9
url:	https://access.redhat.com/security/team/contact/	Trust: 0.8
url:	https://access.redhat.com/security/cve/cve-2020-36518	Trust: 0.8
url:	https://bugzilla.redhat.com/):	Trust: 0.8
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.8
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43797	Trust: 0.6
url:	https://access.redhat.com/security/cve/cve-2021-43797	Trust: 0.6
url:	https://access.redhat.com/articles/11258	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0084	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2022-0866	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2022-0084	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42392	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0866	Trust: 0.5
url:	https://access.redhat.com/security/cve/cve-2021-42392	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0225	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2668	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2022-2668	Trust: 0.4
url:	https://access.redhat.com/security/cve/cve-2022-0225	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://issues.jboss.org/):	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23913	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-23913	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-42004	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-42003	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2019-10744	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_amq_broker/	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.broker&version=7.10.0	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2019-10744	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1833	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1833	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:5101	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-22968	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-4040	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-4040	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-22968	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2256	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:6783	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2256	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23437	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:4918	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-24785	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37137	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21299	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21299	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23221	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-24785	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-37137	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-1319	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21363	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-37136	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1319	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37136	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0853	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-23437	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-23221	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0853	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21363	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-41715	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2880	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2880	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-27664	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-2879	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-27664	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-41715	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-37601	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2023:0264	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42003	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2879	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-32190	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42004	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-37601	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32190	Trust: 0.1
url:	https://issues.redhat.com/browse/rhel-19140	Trust: 0.1
url:	https://issues.redhat.com/browse/rhel-12764	Trust: 0.1
url:	https://issues.redhat.com/browse/rhel-16724	Trust: 0.1
url:	https://issues.redhat.com/browse/rhel-22445	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2024:3061	Trust: 0.1
url:	https://issues.redhat.com/browse/rhel-12765	Trust: 0.1
url:	https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.10_release_notes/index	Trust: 0.1
url:	https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3061.json	Trust: 0.1
url:	https://bugzilla.redhat.com/show_bug.cgi?id=2064698	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:7409	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso&downloadtype=securitypatches&version=7.6	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:7417	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:7411	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36516	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-24448	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26710	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:8889	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-22628	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21618	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-3515	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0168	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21628	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-3709	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0617	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0924	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0562	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2639	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0908	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1055	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2068	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0865	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2097	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-35527	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-35525	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26373	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26709	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-20368	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1048	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-3640	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0561	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0617	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-39399	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0562	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0854	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-22629	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-29581	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1016	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2078	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-22844	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-42898	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2938	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21499	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1927	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-36946	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0865	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1897	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-36558	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-27405	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2016-3709	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0909	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1852	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0561	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35527	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-0854	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-30293	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-27406	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0168	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21624	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1304	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26717	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1785	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21626	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-28390	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-36558	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26716	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1586	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-30002	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-27950	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-27404	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2586	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-23960	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3640	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-30002	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-0891	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1184	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-35525	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-22624	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-2509	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26700	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-25255	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-26719	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-34903	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-21619	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-37434	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1292	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-1355	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2020-36516	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-22662	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-28893	Trust: 0.1

CREDITS

Red Hat

Trust: 0.9

sources: PACKETSTORM: 167523 // PACKETSTORM: 168621 // PACKETSTORM: 167423 // PACKETSTORM: 170602 // PACKETSTORM: 178714 // PACKETSTORM: 169728 // PACKETSTORM: 169727 // PACKETSTORM: 169725 // PACKETSTORM: 170179

SOURCES

db:	VULHUB	id:	VHN-415522
db:	PACKETSTORM	id:	167523
db:	PACKETSTORM	id:	168621
db:	PACKETSTORM	id:	167423
db:	PACKETSTORM	id:	170602
db:	PACKETSTORM	id:	178714
db:	PACKETSTORM	id:	169728
db:	PACKETSTORM	id:	169727
db:	PACKETSTORM	id:	169725
db:	PACKETSTORM	id:	170179
db:	NVD	id:	CVE-2020-36518

LAST UPDATE DATE

2026-03-23T20:33:28.503000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-415522	date:	2022-11-29T00:00:00
db:	NVD	id:	CVE-2020-36518	date:	2025-08-27T21:15:36.420

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-415522	date:	2022-03-11T00:00:00
db:	PACKETSTORM	id:	167523	date:	2022-06-20T14:39:27
db:	PACKETSTORM	id:	168621	date:	2022-10-05T14:25:53
db:	PACKETSTORM	id:	167423	date:	2022-06-07T15:14:53
db:	PACKETSTORM	id:	170602	date:	2023-01-20T15:25:30
db:	PACKETSTORM	id:	178714	date:	2024-05-23T14:01:51
db:	PACKETSTORM	id:	169728	date:	2022-11-04T13:43:56
db:	PACKETSTORM	id:	169727	date:	2022-11-04T13:43:44
db:	PACKETSTORM	id:	169725	date:	2022-11-04T13:43:17
db:	PACKETSTORM	id:	170179	date:	2022-12-09T14:52:40
db:	NVD	id:	CVE-2020-36518	date:	2022-03-11T07:15:07.800