Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1675
Red Hat Decision Manager 7.12.1 security update
19 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Decision Manager 7.12.1
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22965
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:1379
Comment: CVSS (Max): 8.1 CVE-2022-22965 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat Decision Manager 7.12.1 security update
Advisory ID: RHSA-2022:1379-01
Product: Red Hat Decision Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1379
Issue date: 2022-04-14
CVE Names: CVE-2022-22965
=====================================================================
1. Summary:
An update is now available for Red Hat Decision Manager.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Decision Manager is an open source decision management platform
that combines business rules management, complex event processing, Decision
Model & Notation (DMN) execution, and business optimization for solving
planning problems. It automates business decisions and makes that logic
available to the entire business.
This asynchronous security patch is an update to Red Hat Decision Manager
7.
Security Fix(es):
* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+
(CVE-2022-22965)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
A Spring MVC or Spring WebFlux application running on JDK 9 and above might
be vulnerable to remote code execution (RCE) via data binding. The specific
exploit requires the application to run on Tomcat as a WAR deployment.
This release upgrades Spring to 5.3.18 and Spring Boot to 2.6.6 which fixes
the Spring MVC and WebFlux jars.
For on-premise installations, before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
2070348 - CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+
5. References:
https://access.redhat.com/security/cve/CVE-2022-22965
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/security/vulnerabilities/RHSB-2022-003
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=rhdm&version=7.12.1
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYlidHNzjgjWX9erEAQhBihAApV3yXc8aEuRq9fMKL4EnxKcmHt9dgnX2
/Xsdp+isSEvWlE+TC/Ou0tptT1ZPfO3Adm/bXbsboaiq790W+aF8qHEYuA+WxtRW
RY9cx4AS/QfRo+puk36QAWUSEx4WzKeU1no/5A7hezcPxIEGP+EdSX4DgDaVW9mB
CZndXwiYAzLyYgVFI/y5AJP8CPZTvwFjdunOBDwqqNsKiVgFOjqHMJo/X+yus4bU
aFF0BAsA0OVCrjdnWV0fUqF1iON8cbELW7JqkGobM22PZZ6ngxzTXUTbvD1QovLM
Cbj2Ay7l7DHH/3v9Hqk7NLpzp/fa9Z/lQ5c+3okHu0QvanphRllsC893/KGGMXfa
7+S3iWFKV2cJ2249z01eZgX30s7rlSlFRTB9hUlitWLiYaMkWWW0iqt0+2cPkjDv
zP0hy1pYCyCFLluS85FVqW/9HBItNwReuXp9Vv3JqDy8L5+DIVv4WmSYcr4LCcj2
EC5WsIjNW7G4dL0RCukt+HascGTD+huNbzsrDuln4vQJ2HG+4vmH7Cmmlr4MvpHD
Bw4BW6UI8a09axvbUVi2x+w1qTTdiO9J1x4ngaFKjbvItNpT3VRB3YfLcPck1Zv6
DCEC2g11LdPnO2JR5M6t2eMsFlkfLDtqDFotVVzGLBXQWj7I5R2YK+OPrEF2dnXD
Pjhf0e6lKl4=
=xaz4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl5Et+NLKJtyKPYoAQjGFhAApI1dcHy/TKnPj4TI2vDiwomyFfhr8Cc8
oh1dhzYZx4bD0HZXzqMwDndhzPqXf6hr55+D3R+keVPlibNDUNnZW2WRnh1hz8xc
LTN5NBjrbPHWtEBg3AUefnCSUIBfxInbpAkd+9CY3galf8h1RhvkmssuaePBFsuj
VlyCy8I5BOg5dVq+252SqUYc1V718m0GM/tInYnHw4ZB50KeK42LMKNs1H7zkHa7
jRZ63zSwLqzb6Ak0tl9HRSAI9VvlHSAV9E8clKH0GypqpAvtzJ90OJ3KK+c9Yery
qSKKoBuL2YgdB1mvps7Y3VCXkttpdk9K5YkZTeStTD41XPSv2+ZfgxXOzEOBMxRu
UlkTzve8aTPFzs18sdvoUbyAR6Je0HXNdEgo4J4km6aOPUWCXFHJwCKVB6pd9ddt
NXSK/EizK8CsCQrdOBgAqP+wnvyC5RRP4b7l4+fIP9fDu63B0HDUj+wWS7exqqh4
kNUXKwn1iBqcVC+yzcQn7HN9G1RdLdwrSwyq/WnHuA4NPWHMdV4+nTNcQLVpf9Yi
Db8oMTGJ0bZ2QALAOHaFVlsJ6rWSn9GfhsAXMW7MB52bun/ssLAeUqQ0wEn6Vg5Y
VpQTPVb3QmH1OHECxsnmB1NFCAL6uY4Mw8h06kuGRqdljPQbXUKLuWhP1i+ttRAe
oMRt//LJzr8=
=4L6y
-----END PGP SIGNATURE-----