Operating System:

[RedHat]

Published:

13 November 2023

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2023.6619 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.6619
        Red Hat build of Quarkus 2.13.8 release and security update
                             13 November 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat build of Quarkus 2.13.8
Publisher:         Red Hat
Operating System:  Red Hat
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-28867 CVE-2023-26053 CVE-2023-2974
                   CVE-2023-1584 CVE-2023-1436 CVE-2023-0482
                   CVE-2023-0481 CVE-2022-45787 CVE-2022-3782

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2023:3809

Comment: CVSS (Max):  8.1 CVE-2022-3782 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

====================================================================
                Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Quarkus 2.13.8 release
                   and security update
Advisory ID:       RHSA-2023:3809
Product:           Red Hat build of Quarkus 2.13.8.Final
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3809
Issue date:        2023-06-29
CVE Names:         CVE-2022-45787 CVE-2023-0481 CVE-2023-1584 CVE-2023-2974
                   CVE-2023-28867
=====================================================================

1. Summary:

An update is now available for Red Hat build of Quarkus. Red Hat Product
Security has rated this update as having a security impact of Moderate. A Common
Vulnerability Scoring System (CVSS) base score, which gives a detailed severity
rating, is available for each vulnerability. For more information, see the CVE
links in the References section.

2. Description:

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.

Security Fixes:

* CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray [quarkus-2]

* CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject
to collision attacks [quarkus-2]

* CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
[quarkus-2]

* CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization
code flow [quarkus-2]

* CVE-2023-0482 RESTEasy: creation of insecure temp files [quarkus-2]

* CVE-2022-3782 keycloak: path traversal via double URL encoding [quarkus-2]

* CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp
files [quarkus-2]

* CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in
MIME4J TempFileStorageProvider [quarkus-2]

For more information about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, see the CVE links listed
in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2158916 - CVE-2022-45787 - Temporary File Information Disclosure in MIME4J
TempFileStorageProvider
2163533 - CVE-2023-0481 - quarkus: insecure permissions on temp files 
2180886 - CVE-2023-1584 - quarkus-oidc: ID and access tokens leak via the
authorization code flow
2211026 - CVE-2023-2974 - quarkus-core: TLS protocol configured with
quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported
TLS protocol
2181977 - CVE-2023-28867 - graphql-java: crafted GraphQL query causes stack
consumption

5. References:

https://access.redhat.com/security/cve/CVE-2022-45787
https://access.redhat.com/security/cve/CVE-2023-0481
https://access.redhat.com/security/cve/CVE-2023-1584
https://access.redhat.com/security/cve/CVE-2023-2974
https://access.redhat.com/security/cve/CVE-2023-28867
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/
https://access.redhat.com/articles/4966181

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZVGm1ckNZI30y1K9AQiyBQ/+O238xdbiAQXBRSV0a1+bE3N9Ru8bSL+s
obL4/FC+VPYF8MtJPxTrJIYM3VNjJy71NT1T7t5ROnFOZXNiMAy55PrjCozahKyK
FZTBt4k0rXCy+hEcN3KHgPMvl6zv9r9rYQR/L7BtJLhuAfoZiANknC8BDgMrEdGq
tZ3SvmtR5M3zVQCt9byCsBHXdhiAvBu0Gf0WMIRAb+V+P3rL1E9grOdfcGv79X0M
+X46at71d2mYSoqINSuyX0AGhRVskRjBcYCXNgYNp/4IP3BK6eyiwO7RoLqRb1gc
vNt+iBmBLE9Od5J/RP9ptvSgKxX94Eo5lHOxmG6KieEAbk9/ulB7c9pUS1E4LzKq
LU+8akzfZO/GmpuzpKg5TANNooGjMF7B1pksdqR8PzOu4xAF+qrlmxIKF/fp4x+b
5oujUSErWfNmFxiKHgfDmwWSfr3U+U4GKIfZ74bpAbz9Bgmhbxhp8+pDmdgVZXac
ZO9RsWMAIfVmnjyC1/xpyVqFRN3QwEzXXOkmzctX8k6saj7WRgX8LteJ+666KoRO
fEqYSuoowWDmsnn/MyE79XDCRZ19K9Y1zFLQhrXkeEbDQFuhzMft9YsTR99i2DUZ
kO4ByXWIKHZgWLlpKPYGerLjjG4l/utyQm/990sjByGXToXFlzL79zLHr9LtG3HA
mDsR1BAROEs=
=cwlg
-----END PGP SIGNATURE-----