Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3726 Red Hat build of Quarkus 2.13.8 release and security update 30 June 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat build of Quarkus 2.13.8 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-28867 CVE-2023-26053 CVE-2023-2974 CVE-2023-1584 CVE-2023-1436 CVE-2023-0482 CVE-2023-0481 CVE-2022-45787 CVE-2022-3782 Original Bulletin: https://access.redhat.com/errata/RHSA-2023:3809 Comment: CVSS (Max): 8.1 CVE-2022-3782 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Quarkus 2.13.8 release and security update Advisory ID: RHSA-2023:3809-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2023:3809 Issue date: 2023-06-29 CVE Names: CVE-2022-45787 CVE-2023-0481 CVE-2023-0482 CVE-2023-1436 CVE-2023-1584 CVE-2023-2974 CVE-2023-26053 CVE-2023-28867 ===================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fixes: * CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray [quarkus-2] * CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks [quarkus-2] * CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption [quarkus-2] * CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow [quarkus-2] * CVE-2023-0482 RESTEasy: creation of insecure temp files [quarkus-2] * CVE-2022-3782 keycloak: path traversal via double URL encoding [quarkus-2] * CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files [quarkus-2] * CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider [quarkus-2] For more information about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE links listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol 5. JIRA issues fixed (https://issues.redhat.com/): QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4 QUARKUS-2787 - Rest Data Panache: Correct Open API integration QUARKUS-2846 - Ensure that new line chars don't break Panache projection QUARKUS-2978 - ExceptionMapper<WebApplicationException> is not working in DEV mode QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled QUARKUS-3161 - Fix security-csrf-prevention.adoc QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13 QUARKUS-3169 - New home for Narayana LRA coordinator Docker images QUARKUS-3170 - Fix truststore REST Client config when password is not set QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them QUARKUS-3177 - Fix copy paste error in qute docs QUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream QUARKUS-3187 - Allow context propagation for OpenTelemetry QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman QUARKUS-3194 - Exclude Netty's reflection configuration files QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268) QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8. 6. References: https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0481 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-1584 https://access.redhat.com/security/cve/CVE-2023-2974 https://access.redhat.com/security/cve/CVE-2023-26053 https://access.redhat.com/security/cve/CVE-2023-28867 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/ https://access.redhat.com/articles/4966181 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZJ2oPdzjgjWX9erEAQg7vA//XRjryfzKARIPLNbuzypdOTlJ4YXfwNgb JZZLBVMxv7ckStVpyklHkg1IdmqgjGJki4dDKpS/dMRIcKibRHq5v92mJp/fYX4H meoN9H06RvMarWPzVodY+lo2kS5p6xcgd1+tOQhqJYMvVuuY58tOFvbLhDYgcU4x dDXwS3mLN4URrs0Jk4pop1z/E8An/xVJmCG2QRybpsmC9XxVi0jETDJ1278Gxe1q iUOgvONd4XjA+rPI+5iEt2hA2VG2IjvzzERmZA9+n7MuxkYP+QTSIFR/CldhATNy y/Vuy7ZzLVDd4DODqexWLv98GjKJnR48jwjA/KB0ZcSD9jum+C4el9514VxQlwf5 bIc1K8lspc97RKyiJaq/J0PYNXYjHZ0dd53U6eqntxKBJcvu468j1xKv68y3pLHg 0QFTbqtq55F9KTNhRqeMEuC0ly6EuwLl+0jDkpTIqPNjuzDDwLBaTjlm4aEYXSF6 9CMoNpQCwq5/6TeyH+9pScWKSWO0jblCiY4tJojJ0V5vPIs8U+2CJmb0iJzx3tKj PUY4Wz3KCnFLwgU+laCznvW2IrmrFnSCm3cTm1Y36i9jfX1Y4NZhxonN8avn+ty3 eF5AtyFLgE5KmlkwkUy+F3HAZb9qzRzHHjRPw4xbkekEZp28t7xifOuKGOWfFYT2 WUbTnwA26jw= =JLoW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZJ4o28kNZI30y1K9AQhwKBAAidu/4qtnkS9/3wSAkNSfirEsXCJ6wlay JZ2dK28ZCgw95PcJs47Td+Ejy0GRLcvQQ+Md1RZm7i3//zEIMpOTNmq0azWKERBe 6fq7Nxphz9w1C/Lxh1OMJ/Hl1Yn5r/tHn70XZOGc3VqjU1uytHOeP3Cr9zRMfD8b T0Xc/I/ZtcWTZekx5c0h4fFflbfWhXbVUroKGiLxn+9ocBasHUJVVURSVYrUl6/5 xJsohlvMuPc/u5vWv752QSkJdMBKdRpkl0EpNyINCsKOkSL2Y13xcfQm+6yepvDy yq6vp8cKcZJOg5hjSiBZDUS1WV+GiveSvlmXlnPdRMw+Ltd7bbzfGRc4vxN+vIiY lQj++7nEyW0ZrVuR9Q7El1Wqb1/X4DzBY2aijpsXP53hvriPE8qEv0+7g+YAi0UY QmBIyuez+1Cb2VTVo9ejJdvIeRgBIhw6eXZ6buCHyMoz8t6a1fYukw4/oNGhrmYx sTDPA3Kv6df8ddc9pjT5fi3kzx8lP+Q/OvJAfmLodCYflQ9h4UO4ViQq1N3gMQGd qcNWcZAbFBaLabb7YWgLfZGEh1ok4ZU1OYpnD6G0x+QXwsIetX2yKZAh48X18XvY UHphZZOtBUBgJNyhyPL3hb8J9yQMuCq4FPDMC40AfRNTbGvNWBxN0+570gjPpMZZ GcMoxrqZ0Mw= =r+Lk -----END PGP SIGNATURE-----