RHSA-2024:1027 - Security Advisory

Topic

An update is now available for MTA-6.2-RHEL-8 and MTA-6.2-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Migration Toolkit for Applications

Security Fix(es):

• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
• jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
• apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
• jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
• guava: insecure temporary directory creation (CVE-2023-2976)
• follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
• golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
• golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
• jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Migration Toolkit for Applications 1 x86_64

Fixes

• BZ - 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• BZ - 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
• BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
• BZ - 2215214 - CVE-2023-35116 jackson-databind: denial of service via cylic dependencies
• BZ - 2215229 - CVE-2023-2976 guava: insecure temporary directory creation
• BZ - 2222167 - CVE-2023-29406 golang: net/http: insufficient sanitization of Host header
• BZ - 2228743 - CVE-2023-29409 golang: crypto/tls: slow verification of certificate chains containing large RSA keys
• BZ - 2233112 - CVE-2022-46751 apache-ivy: XML External Entity vulnerability
• BZ - 2256413 - CVE-2023-26159 follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()
• MTA-87 - CVE-2022-45693 org.keycloak-keycloak-parent: jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [mta-6]

CVEs

• CVE-2007-4559
• CVE-2021-3468
• CVE-2021-3502
• CVE-2021-35937
• CVE-2021-35938
• CVE-2021-35939
• CVE-2021-43618
• CVE-2022-1962
• CVE-2022-24963
• CVE-2022-44638
• CVE-2022-45693
• CVE-2022-46751
• CVE-2023-1436
• CVE-2023-1981
• CVE-2023-2731
• CVE-2023-2976
• CVE-2023-3138
• CVE-2023-3316
• CVE-2023-3576
• CVE-2023-4016
• CVE-2023-4641
• CVE-2023-5363
• CVE-2023-5557
• CVE-2023-5981
• CVE-2023-6135
• CVE-2023-7104
• CVE-2023-22745
• CVE-2023-26159
• CVE-2023-26965
• CVE-2023-26966
• CVE-2023-27043
• CVE-2023-28100
• CVE-2023-28101
• CVE-2023-29406
• CVE-2023-29409
• CVE-2023-29491
• CVE-2023-29499
• CVE-2023-31486
• CVE-2023-32324
• CVE-2023-32611
• CVE-2023-32665
• CVE-2023-34241
• CVE-2023-35116
• CVE-2023-36054
• CVE-2023-38545
• CVE-2023-38546
• CVE-2023-39615
• CVE-2023-39975
• CVE-2023-42917
• CVE-2023-44487
• CVE-2024-0553
• CVE-2024-0567
• CVE-2024-20918
• CVE-2024-20919
• CVE-2024-20921
• CVE-2024-20926
• CVE-2024-20945
• CVE-2024-20952

References

• https://access.redhat.com/security/updates/classification/#moderate