Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-21409 (GCVE-0-2021-21409)
Vulnerability from cvelistv5 – Published: 2021-03-30 15:05 – Updated: 2024-08-03 18:09
VLAI
EPSS
Title
Possible request smuggling in HTTP/2 due missing validation of content-length
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Severity
5.9 (Medium)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Assigner
References
59 references
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.61.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:24:02.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"
},
{
"name": "DSA-4885",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"advisory": "GHSA-f256-j965-7f32",
"discovery": "UNKNOWN"
},
"title": "Possible request smuggling in HTTP/2 due missing validation of content-length",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21409",
"STATE": "PUBLIC",
"TITLE": "Possible request smuggling in HTTP/2 due missing validation of content-length"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netty",
"version": {
"version_data": [
{
"version_value": "\u003c 4.1.61.Final"
}
]
}
}
]
},
"vendor_name": "netty"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"refsource": "CONFIRM",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
},
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"refsource": "MISC",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
},
{
"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295",
"refsource": "MISC",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295"
},
{
"name": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432",
"refsource": "MISC",
"url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432"
},
{
"name": "DSA-4885",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4885"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E"
},
{
"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E"
},
{
"name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210604-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210604-0003/"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"advisory": "GHSA-f256-j965-7f32",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21409",
"datePublished": "2021-03-30T15:05:17.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:16.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-21409",
"date": "2026-06-18",
"epss": "0.04935",
"percentile": "0.91028"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.1.61\", \"matchCriteriaId\": \"BC283248-0EB5-46CA-A68C-4FF004D606F8\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5EC98B22-FFAA-4B59-8E63-EBAA4336AD13\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5735E553-9731-4AAC-BCFF-989377F817B3\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0CF9A061-2421-426D-9854-0A4E55B2961D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F95EDC3D-54BB-48F9-82F2-7CCF335FCA78\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B72B735F-4E52-484A-9C2C-23E6E2070385\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B36A1D4-F391-4EE3-9A65-0A10568795BA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0275F820-40BE-47B8-B167-815A55DF578E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E14324D-B9EE-4C06-ACC7-255189ED6300\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CBEBB60F-6EAB-4AE5-B777-5044C657FBA8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B185C1EA-71E6-4972-8637-08A33CC00841\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5FA64A1D-34F9-4441-857A-25C165E6DBB6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"06594847-96ED-4541-B2F4-C7331B603603\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BC12B43F-30F6-4B05-AB3A-E91D8404D5A5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4479F76A-4B67-41CC-98C7-C76B81050F8E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"040DA31B-2A0C-46F6-8EDF-9B88F9FB0F48\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E1214FDF-357A-4BB9-BADE-50FB2BD16D10\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E7626D2-D9FF-416A-9581-852CED0D8C24\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"9.2.6.3\", \"matchCriteriaId\": \"BE34D4F7-5C18-4578-8D0A-722FDF931333\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"21.1.12\", \"matchCriteriaId\": \"7167D144-C4AE-487F-B59A-888E10EA59DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"17.12.0\", \"versionEndIncluding\": \"17.12.11\", \"matchCriteriaId\": \"8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"18.8.0\", \"versionEndIncluding\": \"18.8.11\", \"matchCriteriaId\": \"53E2276C-9515-46F6-A621-213A3047B9A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"19.12.0\", \"versionEndIncluding\": \"19.12.10\", \"matchCriteriaId\": \"3EF7E2B4-B741-41E9-8EF6-6C415AB9EF54\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.13.7\", \"matchCriteriaId\": \"64839EBF-078E-492A-897C-9AFFB7678ED8\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.\"}, {\"lang\": \"es\", \"value\": \"Netty es un framework de aplicaci\\u00f3n de red de c\\u00f3digo abierto y as\\u00edncrono event-driven para el desarrollo r\\u00e1pido de servidores y clientes de protocolo de alto rendimiento mantenibles.\u0026#xa0;En Netty (io.netty:netty-codec-http2) versiones anteriores a 4.1.61.Final se presenta una vulnerabilidad que permite el trafico no autorizado de peticiones.\u0026#xa0;El encabezado content-length no es comprobado correctamente si la petici\\u00f3n solo usa un \\u00fanico Http2HeaderFrame con endStream establecido en verdadero.\u0026#xa0;Esto podr\\u00eda conllevar al trafico no autorizado de peticiones si la petici\\u00f3n se env\\u00eda a un peer remoto y se traduce a HTTP/1.1.\u0026#xa0;Este es un seguimiento de GHSA-wm47-8v5p-wjpj/CVE-2021-21295 que no pudo solucionar este caso.\u0026#xa0;Esto se corrigi\\u00f3 como parte de la versi\\u00f3n 4.1.61.Final.\"}]",
"id": "CVE-2021-21409",
"lastModified": "2024-11-21T05:48:17.963",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-03-30T15:15:14.573",
"references": "[{\"url\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20210604-0003/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2021/dsa-4885\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20210604-0003/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2021/dsa-4885\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-21409\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-03-30T15:15:14.573\",\"lastModified\":\"2024-11-21T05:48:17.963\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.\"},{\"lang\":\"es\",\"value\":\"Netty es un framework de aplicaci\u00f3n de red de c\u00f3digo abierto y as\u00edncrono event-driven para el desarrollo r\u00e1pido de servidores y clientes de protocolo de alto rendimiento mantenibles.\u0026#xa0;En Netty (io.netty:netty-codec-http2) versiones anteriores a 4.1.61.Final se presenta una vulnerabilidad que permite el trafico no autorizado de peticiones.\u0026#xa0;El encabezado content-length no es comprobado correctamente si la petici\u00f3n solo usa un \u00fanico Http2HeaderFrame con endStream establecido en verdadero.\u0026#xa0;Esto podr\u00eda conllevar al trafico no autorizado de peticiones si la petici\u00f3n se env\u00eda a un peer remoto y se traduce a HTTP/1.1.\u0026#xa0;Este es un seguimiento de GHSA-wm47-8v5p-wjpj/CVE-2021-21295 que no pudo solucionar este caso.\u0026#xa0;Esto se corrigi\u00f3 como parte de la versi\u00f3n 4.1.61.Final.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.61\",\"matchCriteriaId\":\"BC283248-0EB5-46CA-A68C-4FF004D606F8\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5EC98B22-FFAA-4B59-8E63-EBAA4336AD13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5735E553-9731-4AAC-BCFF-989377F817B3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CF9A061-2421-426D-9854-0A4E55B2961D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F95EDC3D-54BB-48F9-82F2-7CCF335FCA78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B72B735F-4E52-484A-9C2C-23E6E2070385\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B36A1D4-F391-4EE3-9A65-0A10568795BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0275F820-40BE-47B8-B167-815A55DF578E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E14324D-B9EE-4C06-ACC7-255189ED6300\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBEBB60F-6EAB-4AE5-B777-5044C657FBA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B185C1EA-71E6-4972-8637-08A33CC00841\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FA64A1D-34F9-4441-857A-25C165E6DBB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06594847-96ED-4541-B2F4-C7331B603603\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC12B43F-30F6-4B05-AB3A-E91D8404D5A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4479F76A-4B67-41CC-98C7-C76B81050F8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"040DA31B-2A0C-46F6-8EDF-9B88F9FB0F48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E1214FDF-357A-4BB9-BADE-50FB2BD16D10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E7626D2-D9FF-416A-9581-852CED0D8C24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.2.6.3\",\"matchCriteriaId\":\"BE34D4F7-5C18-4578-8D0A-722FDF931333\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"21.1.12\",\"matchCriteriaId\":\"7167D144-C4AE-487F-B59A-888E10EA59DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.12.0\",\"versionEndIncluding\":\"17.12.11\",\"matchCriteriaId\":\"8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"18.8.0\",\"versionEndIncluding\":\"18.8.11\",\"matchCriteriaId\":\"53E2276C-9515-46F6-A621-213A3047B9A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.12.0\",\"versionEndIncluding\":\"19.12.10\",\"matchCriteriaId\":\"3EF7E2B4-B741-41E9-8EF6-6C415AB9EF54\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.13.7\",\"matchCriteriaId\":\"64839EBF-078E-492A-897C-9AFFB7678ED8\"}]}]}],\"references\":[{\"url\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20210604-0003/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4885\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20210604-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4885\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
RHSA-2021:2965
Vulnerability from csaf_redhat - Published: 2021-07-29 19:19 - Updated: 2026-03-18 02:06Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.4.8 security update
Severity
Moderate
Notes
Topic: A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.4.8 serves as a replacement for Red Hat Single Sign-On 7.4.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* netty: Request smuggling via content-length header (CVE-2021-21409)
* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.4.8
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Single Sign-On 7.4.8
Red Hat / Red Hat Single Sign-On
|
cpe:/a:redhat:red_hat_single_sign_on:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
16 references
Acknowledgments
Damian Bury
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.4.8 serves as a replacement for Red Hat Single Sign-On 7.4.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:2965",
"url": "https://access.redhat.com/errata/RHSA-2021:2965"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso\u0026downloadType=securityPatches\u0026version=7.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2965.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.4.8 security update",
"tracking": {
"current_release_date": "2026-03-18T02:06:47+00:00",
"generator": {
"date": "2026-03-18T02:06:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2021:2965",
"initial_release_date": "2021-07-29T19:19:10+00:00",
"revision_history": [
{
"date": "2021-07-29T19:19:10+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-07-29T19:19:10+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T02:06:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.4.8",
"product": {
"name": "Red Hat Single Sign-On 7.4.8",
"product_id": "Red Hat Single Sign-On 7.4.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Damian Bury"
]
}
],
"cve": "CVE-2021-3536",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-02-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948001"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: XSS via admin console when creating roles in domain mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw does not affect Red Hat CodeReady Studio 12 because it uses the Wildfly client only. The domain mode is not used.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.4.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3536"
},
{
"category": "external",
"summary": "RHBZ#1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-07-29T19:19:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.4.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2965"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.4.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly: XSS via admin console when creating roles in domain mode"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7.4.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-07-29T19:19:10+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Single Sign-On 7.4.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2965"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7.4.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
}
]
}
RHSA-2021:3225
Vulnerability from csaf_redhat - Published: 2021-08-19 07:17 - Updated: 2026-05-14 22:31Summary
Red Hat Security Advisory: Red Hat AMQ Streams 1.8.0 release and security update
Severity
Moderate
Notes
Topic: Red Hat AMQ Streams 1.8.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red Hat AMQ Streams 1.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)
* jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
* jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
* jersey: Local information disclosure via system temporary directory (CVE-2021-28168)
* jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)
* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
7.6 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability. In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.
CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
4.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-613 - Insufficient Session ExpirationAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ Streams 1.8.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_streams:1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
References
70 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat AMQ Streams 1.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red Hat AMQ Streams 1.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)\n\n* jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)\n\n* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)\n\n* jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)\n\n* jersey: Local information disclosure via system temporary directory (CVE-2021-28168)\n\n* jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)\n\n* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3225",
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
},
{
"category": "external",
"summary": "1971016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971016"
},
{
"category": "external",
"summary": "1974891",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974891"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=1.8.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=1.8.0"
},
{
"category": "external",
"summary": "1785376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785376"
},
{
"category": "external",
"summary": "1927028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028"
},
{
"category": "external",
"summary": "1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "1939839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939839"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1945710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710"
},
{
"category": "external",
"summary": "1945712",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712"
},
{
"category": "external",
"summary": "1945714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714"
},
{
"category": "external",
"summary": "1953024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1953024"
},
{
"category": "external",
"summary": "1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3225.json"
}
],
"title": "Red Hat Security Advisory: Red Hat AMQ Streams 1.8.0 release and security update",
"tracking": {
"current_release_date": "2026-05-14T22:31:30+00:00",
"generator": {
"date": "2026-05-14T22:31:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:3225",
"initial_release_date": "2021-08-19T07:17:54+00:00",
"revision_history": [
{
"date": "2021-08-19T07:17:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-08-19T07:17:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:31:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AMQ Streams 1.8.0",
"product": {
"name": "Red Hat AMQ Streams 1.8.0",
"product_id": "Red Hat AMQ Streams 1.8.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss AMQ"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2017-18640",
"cwe": {
"id": "CWE-776",
"name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)"
},
"discovery_date": "2019-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1785376"
}
],
"notes": [
{
"category": "description",
"text": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Billion laughs attack via alias feature",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18640"
},
{
"category": "external",
"summary": "RHBZ#1785376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18640",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18640"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640"
}
],
"release_date": "2019-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Billion laughs attack via alias feature"
},
{
"cve": "CVE-2021-21290",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-02-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1927028"
}
],
"notes": [
{
"category": "description",
"text": "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Information disclosure via the local system temporary directory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21290"
},
{
"category": "external",
"summary": "RHBZ#1927028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290"
}
],
"release_date": "2021-02-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: Information disclosure via the local system temporary directory"
},
{
"cve": "CVE-2021-21295",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937364"
}
],
"notes": [
{
"category": "description",
"text": "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: possible request smuggling in HTTP/2 due missing validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21295"
},
{
"category": "external",
"summary": "RHBZ#1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: possible request smuggling in HTTP/2 due missing validation"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-27568",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-03-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1939839"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability.\r\n\r\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package.\r\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\r\nThis may be fixed in the future.\r\n\r\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: uncaught exception may lead to crash or information disclosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-27568"
},
{
"category": "external",
"summary": "RHBZ#1939839",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939839"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-27568",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27568"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27568",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27568"
}
],
"release_date": "2021-02-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json-smart: uncaught exception may lead to crash or information disclosure"
},
{
"cve": "CVE-2021-28163",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1945710"
}
],
"notes": [
{
"category": "description",
"text": "If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Symlink directory exposes webapp directory contents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28163"
},
{
"category": "external",
"summary": "RHBZ#1945710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Symlink directory exposes webapp directory contents"
},
{
"cve": "CVE-2021-28164",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1945712"
}
],
"notes": [
{
"category": "description",
"text": "In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Ambiguous paths can access WEB-INF",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28164"
},
{
"category": "external",
"summary": "RHBZ#1945712",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28164",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Ambiguous paths can access WEB-INF"
},
{
"cve": "CVE-2021-28165",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-04-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1945714"
}
],
"notes": [
{
"category": "description",
"text": "When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Resource exhaustion when receiving an invalid large TLS frame",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28165"
},
{
"category": "external",
"summary": "RHBZ#1945714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28165",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Resource exhaustion when receiving an invalid large TLS frame"
},
{
"cve": "CVE-2021-28168",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1953024"
}
],
"notes": [
{
"category": "description",
"text": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jersey: Local information disclosure via system temporary directory",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28168"
},
{
"category": "external",
"summary": "RHBZ#1953024",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1953024"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28168",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28168"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168"
}
],
"release_date": "2021-04-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jersey: Local information disclosure via system temporary directory"
},
{
"cve": "CVE-2021-28169",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-06-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1971016"
}
],
"notes": [
{
"category": "description",
"text": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 8 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 7 ships the vulnerable component of jetty, but only in the optional repository and thus this flaw is out of support scope for Red Hat Enterprise Linux 7.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28169"
},
{
"category": "external",
"summary": "RHBZ#1971016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971016"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28169",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169"
}
],
"release_date": "2021-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory"
},
{
"cve": "CVE-2021-29425",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948752"
}
],
"notes": [
{
"category": "description",
"text": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module. This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29425"
},
{
"category": "external",
"summary": "RHBZ#1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6"
},
{
"cve": "CVE-2021-34428",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2021-06-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1974891"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: SessionListener can prevent a session from being invalidated breaking logout",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.\n\nOCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as wontifx.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ Streams 1.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34428"
},
{
"category": "external",
"summary": "RHBZ#1974891",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974891"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34428",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6"
}
],
"release_date": "2021-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-08-19T07:17:54+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3225"
},
{
"category": "workaround",
"details": "Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.",
"product_ids": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ Streams 1.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jetty: SessionListener can prevent a session from being invalidated breaking logout"
}
]
}
RHSA-2021:3656
Vulnerability from csaf_redhat - Published: 2021-09-23 16:18 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 7
Severity
Important
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)
* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)
* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)
* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
6.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
76 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
73 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Low
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.
5.9 (Medium)
Affected products
Fixed
2 products
Known not affected
77 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CWE-203 - Observable DiscrepancyAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
76 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.
CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorAffected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
73 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Low
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
77 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Important
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
76 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — |
Vendor Fix
fix
|
Known not affected
76 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
77 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
4.8 (Medium)
Affected products
Fixed
2 products
Known not affected
77 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch | — | ||
| Unresolved product id: 7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src | — |
Threats
Impact
Moderate
References
85 references
Acknowledgments
Damian Bury
Red Hat
Darran Lofthouse
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)\n\n* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)\n\n* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)\n\n* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)\n\n* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)\n\n* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3656",
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "1965497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"
},
{
"category": "external",
"summary": "1970930",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"category": "external",
"summary": "1976052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"category": "external",
"summary": "1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "1991299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"category": "external",
"summary": "JBEAP-18401",
"url": "https://issues.redhat.com/browse/JBEAP-18401"
},
{
"category": "external",
"summary": "JBEAP-21231",
"url": "https://issues.redhat.com/browse/JBEAP-21231"
},
{
"category": "external",
"summary": "JBEAP-21257",
"url": "https://issues.redhat.com/browse/JBEAP-21257"
},
{
"category": "external",
"summary": "JBEAP-21258",
"url": "https://issues.redhat.com/browse/JBEAP-21258"
},
{
"category": "external",
"summary": "JBEAP-21261",
"url": "https://issues.redhat.com/browse/JBEAP-21261"
},
{
"category": "external",
"summary": "JBEAP-21263",
"url": "https://issues.redhat.com/browse/JBEAP-21263"
},
{
"category": "external",
"summary": "JBEAP-21270",
"url": "https://issues.redhat.com/browse/JBEAP-21270"
},
{
"category": "external",
"summary": "JBEAP-21276",
"url": "https://issues.redhat.com/browse/JBEAP-21276"
},
{
"category": "external",
"summary": "JBEAP-21277",
"url": "https://issues.redhat.com/browse/JBEAP-21277"
},
{
"category": "external",
"summary": "JBEAP-21281",
"url": "https://issues.redhat.com/browse/JBEAP-21281"
},
{
"category": "external",
"summary": "JBEAP-21300",
"url": "https://issues.redhat.com/browse/JBEAP-21300"
},
{
"category": "external",
"summary": "JBEAP-21309",
"url": "https://issues.redhat.com/browse/JBEAP-21309"
},
{
"category": "external",
"summary": "JBEAP-21313",
"url": "https://issues.redhat.com/browse/JBEAP-21313"
},
{
"category": "external",
"summary": "JBEAP-21472",
"url": "https://issues.redhat.com/browse/JBEAP-21472"
},
{
"category": "external",
"summary": "JBEAP-21569",
"url": "https://issues.redhat.com/browse/JBEAP-21569"
},
{
"category": "external",
"summary": "JBEAP-21777",
"url": "https://issues.redhat.com/browse/JBEAP-21777"
},
{
"category": "external",
"summary": "JBEAP-21781",
"url": "https://issues.redhat.com/browse/JBEAP-21781"
},
{
"category": "external",
"summary": "JBEAP-21818",
"url": "https://issues.redhat.com/browse/JBEAP-21818"
},
{
"category": "external",
"summary": "JBEAP-21961",
"url": "https://issues.redhat.com/browse/JBEAP-21961"
},
{
"category": "external",
"summary": "JBEAP-21978",
"url": "https://issues.redhat.com/browse/JBEAP-21978"
},
{
"category": "external",
"summary": "JBEAP-22009",
"url": "https://issues.redhat.com/browse/JBEAP-22009"
},
{
"category": "external",
"summary": "JBEAP-22084",
"url": "https://issues.redhat.com/browse/JBEAP-22084"
},
{
"category": "external",
"summary": "JBEAP-22088",
"url": "https://issues.redhat.com/browse/JBEAP-22088"
},
{
"category": "external",
"summary": "JBEAP-22160",
"url": "https://issues.redhat.com/browse/JBEAP-22160"
},
{
"category": "external",
"summary": "JBEAP-22209",
"url": "https://issues.redhat.com/browse/JBEAP-22209"
},
{
"category": "external",
"summary": "JBEAP-22318",
"url": "https://issues.redhat.com/browse/JBEAP-22318"
},
{
"category": "external",
"summary": "JBEAP-22319",
"url": "https://issues.redhat.com/browse/JBEAP-22319"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3656.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 7",
"tracking": {
"current_release_date": "2026-05-14T22:25:03+00:00",
"generator": {
"date": "2026-05-14T22:25:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:3656",
"initial_release_date": "2021-09-23T16:18:03+00:00",
"revision_history": [
{
"date": "2021-09-23T16:18:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-09-23T16:18:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-yasson@1.0.9-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity@2.3.0-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"product": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"product_id": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-picketbox@5.0.3-9.Final_redhat_00008.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jberet@1.3.9-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"product": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"product_id": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jakarta-el@3.0.3-2.redhat_00006.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-commons-io@2.10.0-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-artemis-wildfly-integration@1.0.4-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.1-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate@5.3.21-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jgroups-kubernetes@1.0.16-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.23-2.SP1_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.4.35-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.7-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.5-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan@11.0.12-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"product": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"product_id": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-36.redhat_00013.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-client@1.1.8-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-transaction-client@1.1.14-2.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"product_id": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.9-2.SP1_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-8.Final_redhat_00009.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"product_id": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.1-2.GA_redhat_00003.1.el7eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-yasson@1.0.9-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity@2.3.0-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity-engine-core@2.3.0-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"product": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"product_id": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-picketbox@5.0.3-9.Final_redhat_00008.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"product": {
"name": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"product_id": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-picketbox-infinispan@5.0.3-9.Final_redhat_00008.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty-all@4.1.63-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jberet@1.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jberet-core@1.3.9-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"product": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"product_id": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jakarta-el@3.0.3-2.redhat_00006.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-commons-io@2.10.0-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-artemis-wildfly-integration@1.0.4-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.1-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate@5.3.21-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.21-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.21-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.21-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.21-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jgroups-kubernetes@1.0.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.23-2.SP1_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.4.35-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.7-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.5-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.5-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.12-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"product": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"product_id": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-36.redhat_00013.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-client-common@1.1.8-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-ejb-client@1.1.8-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-naming-client@1.1.8-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-transaction-client@1.1.8-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-transaction-client@1.1.14-2.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.9-2.SP1_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-8.Final_redhat_00009.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-8.Final_redhat_00009.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-8.Final_redhat_00009.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.1-2.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.1-2.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.1-2.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.1-2.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.1-2.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch"
},
"product_reference": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src"
},
"product_reference": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch"
},
"product_reference": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src"
},
"product_reference": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch"
},
"product_reference": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch"
},
"product_reference": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src"
},
"product_reference": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13936",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-03-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937440"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "velocity: arbitrary code execution when attacker is able to modify templates",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.\n\n* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.\n\n* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.\n\n* Although velocity shipped in Red Hat Enterprise Linux 8\u0027s pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13936"
},
{
"category": "external",
"summary": "RHBZ#1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "velocity: arbitrary code execution when attacker is able to modify templates"
},
{
"acknowledgments": [
{
"names": [
"Damian Bury"
]
}
],
"cve": "CVE-2021-3536",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-02-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948001"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: XSS via admin console when creating roles in domain mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw does not affect Red Hat CodeReady Studio 12 because it uses the Wildfly client only. The domain mode is not used.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3536"
},
{
"category": "external",
"summary": "RHBZ#1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly: XSS via admin console when creating roles in domain mode"
},
{
"cve": "CVE-2021-3597",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2021-02-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1970930"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3597"
},
{
"category": "external",
"summary": "RHBZ#1970930",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3597",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3597",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3597"
}
],
"release_date": "2021-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS"
},
{
"cve": "CVE-2021-3642",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"discovery_date": "2021-06-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981407"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attack in ScramServer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3642"
},
{
"category": "external",
"summary": "RHBZ#1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642"
}
],
"release_date": "2021-06-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attack in ScramServer"
},
{
"acknowledgments": [
{
"names": [
"Darran Lofthouse"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-3644",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-02-24T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1976052"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-core: Invalid Sensitivity Classification of Vault Expression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CodeReady Studio 12 is not affected by this flaw as it does not ship the vulnerable component of wildfly.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"category": "external",
"summary": "RHBZ#1976052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3644",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3644"
}
],
"release_date": "2021-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly-core: Invalid Sensitivity Classification of Vault Expression"
},
{
"cve": "CVE-2021-3690",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2021-08-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1991299"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: buffer leak on incoming websocket PONG message may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although Red Hat OpenStack Platform packages the vulnerable code in Opendaylight, it does not use or support the undertow-encapsulating features. The security impact for RHOSP is therefore rated as Low and no update will be provided at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3690"
},
{
"category": "external",
"summary": "RHBZ#1991299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3690",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3690"
}
],
"release_date": "2021-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undertow: buffer leak on incoming websocket PONG message may lead to DoS"
},
{
"cve": "CVE-2021-21295",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937364"
}
],
"notes": [
{
"category": "description",
"text": "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: possible request smuggling in HTTP/2 due missing validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21295"
},
{
"category": "external",
"summary": "RHBZ#1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: possible request smuggling in HTTP/2 due missing validation"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-28170",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-05-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1965497"
}
],
"notes": [
{
"category": "description",
"text": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28170"
},
{
"category": "external",
"summary": "RHBZ#1965497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28170",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28170",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28170"
},
{
"category": "external",
"summary": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/",
"url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate"
},
{
"cve": "CVE-2021-29425",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948752"
}
],
"notes": [
{
"category": "description",
"text": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module. This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29425"
},
{
"category": "external",
"summary": "RHBZ#1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:18:03+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3656"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6"
}
]
}
RHSA-2021:3658
Vulnerability from csaf_redhat - Published: 2021-09-23 16:26 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 8
Severity
Important
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)
* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)
* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)
* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
6.6 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
Known not affected
74 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — |
Vendor Fix
fix
|
Known not affected
73 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Low
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.
5.9 (Medium)
Affected products
Fixed
2 products
Known not affected
75 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CWE-203 - Observable DiscrepancyAffected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
Known not affected
74 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.
CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorAffected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — |
Vendor Fix
fix
|
Known not affected
73 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Low
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
75 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Important
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
Known not affected
74 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — |
Vendor Fix
fix
|
Known not affected
74 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
7.5 (High)
Affected products
Fixed
2 products
Known not affected
75 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
4.8 (Medium)
Affected products
Fixed
2 products
Known not affected
75 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch | — | ||
| Unresolved product id: 8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src | — |
Threats
Impact
Moderate
References
85 references
Acknowledgments
Damian Bury
Red Hat
Darran Lofthouse
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)\n\n* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)\n\n* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)\n\n* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)\n\n* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)\n\n* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3658",
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "1965497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"
},
{
"category": "external",
"summary": "1970930",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"category": "external",
"summary": "1976052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"category": "external",
"summary": "1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "1991299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"category": "external",
"summary": "JBEAP-18402",
"url": "https://issues.redhat.com/browse/JBEAP-18402"
},
{
"category": "external",
"summary": "JBEAP-21231",
"url": "https://issues.redhat.com/browse/JBEAP-21231"
},
{
"category": "external",
"summary": "JBEAP-21257",
"url": "https://issues.redhat.com/browse/JBEAP-21257"
},
{
"category": "external",
"summary": "JBEAP-21258",
"url": "https://issues.redhat.com/browse/JBEAP-21258"
},
{
"category": "external",
"summary": "JBEAP-21261",
"url": "https://issues.redhat.com/browse/JBEAP-21261"
},
{
"category": "external",
"summary": "JBEAP-21263",
"url": "https://issues.redhat.com/browse/JBEAP-21263"
},
{
"category": "external",
"summary": "JBEAP-21270",
"url": "https://issues.redhat.com/browse/JBEAP-21270"
},
{
"category": "external",
"summary": "JBEAP-21276",
"url": "https://issues.redhat.com/browse/JBEAP-21276"
},
{
"category": "external",
"summary": "JBEAP-21277",
"url": "https://issues.redhat.com/browse/JBEAP-21277"
},
{
"category": "external",
"summary": "JBEAP-21281",
"url": "https://issues.redhat.com/browse/JBEAP-21281"
},
{
"category": "external",
"summary": "JBEAP-21300",
"url": "https://issues.redhat.com/browse/JBEAP-21300"
},
{
"category": "external",
"summary": "JBEAP-21309",
"url": "https://issues.redhat.com/browse/JBEAP-21309"
},
{
"category": "external",
"summary": "JBEAP-21313",
"url": "https://issues.redhat.com/browse/JBEAP-21313"
},
{
"category": "external",
"summary": "JBEAP-21472",
"url": "https://issues.redhat.com/browse/JBEAP-21472"
},
{
"category": "external",
"summary": "JBEAP-21569",
"url": "https://issues.redhat.com/browse/JBEAP-21569"
},
{
"category": "external",
"summary": "JBEAP-21777",
"url": "https://issues.redhat.com/browse/JBEAP-21777"
},
{
"category": "external",
"summary": "JBEAP-21781",
"url": "https://issues.redhat.com/browse/JBEAP-21781"
},
{
"category": "external",
"summary": "JBEAP-21818",
"url": "https://issues.redhat.com/browse/JBEAP-21818"
},
{
"category": "external",
"summary": "JBEAP-21961",
"url": "https://issues.redhat.com/browse/JBEAP-21961"
},
{
"category": "external",
"summary": "JBEAP-21978",
"url": "https://issues.redhat.com/browse/JBEAP-21978"
},
{
"category": "external",
"summary": "JBEAP-22009",
"url": "https://issues.redhat.com/browse/JBEAP-22009"
},
{
"category": "external",
"summary": "JBEAP-22084",
"url": "https://issues.redhat.com/browse/JBEAP-22084"
},
{
"category": "external",
"summary": "JBEAP-22088",
"url": "https://issues.redhat.com/browse/JBEAP-22088"
},
{
"category": "external",
"summary": "JBEAP-22160",
"url": "https://issues.redhat.com/browse/JBEAP-22160"
},
{
"category": "external",
"summary": "JBEAP-22209",
"url": "https://issues.redhat.com/browse/JBEAP-22209"
},
{
"category": "external",
"summary": "JBEAP-22318",
"url": "https://issues.redhat.com/browse/JBEAP-22318"
},
{
"category": "external",
"summary": "JBEAP-22319",
"url": "https://issues.redhat.com/browse/JBEAP-22319"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3658.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 8",
"tracking": {
"current_release_date": "2026-05-14T22:25:04+00:00",
"generator": {
"date": "2026-05-14T22:25:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:3658",
"initial_release_date": "2021-09-23T16:26:18+00:00",
"revision_history": [
{
"date": "2021-09-23T16:26:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-09-23T16:26:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 8",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-yasson@1.0.9-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity@2.3.0-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"product": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"product_id": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-picketbox@5.0.3-9.Final_redhat_00008.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jberet@1.3.9-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"product": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"product_id": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jakarta-el@3.0.3-2.redhat_00006.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-commons-io@2.10.0-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-artemis-wildfly-integration@1.0.4-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.1-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate@5.3.21-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jgroups-kubernetes@1.0.16-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.23-2.SP1_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.4.35-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.7-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.5-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan@11.0.12-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"product": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"product_id": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-36.redhat_00013.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-client@1.1.8-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-transaction-client@1.1.14-2.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"product_id": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.9-2.SP1_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-8.Final_redhat_00009.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"product_id": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.1-2.GA_redhat_00003.1.el8eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-yasson@1.0.9-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity@2.3.0-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity-engine-core@2.3.0-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"product": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"product_id": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-picketbox@5.0.3-9.Final_redhat_00008.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"product": {
"name": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"product_id": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-picketbox-infinispan@5.0.3-9.Final_redhat_00008.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty-all@4.1.63-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jberet@1.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jberet-core@1.3.9-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"product": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"product_id": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jakarta-el@3.0.3-2.redhat_00006.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-commons-io@2.10.0-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-artemis-wildfly-integration@1.0.4-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.1-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate@5.3.21-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-core@5.3.21-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-entitymanager@5.3.21-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-envers@5.3.21-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-java8@5.3.21-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jgroups-kubernetes@1.0.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.23-2.SP1_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.4.35-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.7-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.5-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.5-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-jdbc@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-cachestore-remote@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-client-hotrod@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-commons@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-component-annotations@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-core@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-commons@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-spi@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-infinispan-hibernate-cache-v53@11.0.12-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"product": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"product_id": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-xalan-j2@2.7.1-36.redhat_00013.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-client-common@1.1.8-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-ejb-client@1.1.8-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-naming-client@1.1.8-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-http-transaction-client@1.1.8-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-transaction-client@1.1.14-2.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.9-2.SP1_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-8.Final_redhat_00009.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-8.Final_redhat_00009.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-8.Final_redhat_00009.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.1-2.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.1-2.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.1-2.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch"
},
"product_reference": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src"
},
"product_reference": "eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch"
},
"product_reference": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src"
},
"product_reference": "eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch"
},
"product_reference": "eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch"
},
"product_reference": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src"
},
"product_reference": "eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13936",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-03-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937440"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "velocity: arbitrary code execution when attacker is able to modify templates",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.\n\n* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.\n\n* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.\n\n* Although velocity shipped in Red Hat Enterprise Linux 8\u0027s pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13936"
},
{
"category": "external",
"summary": "RHBZ#1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "velocity: arbitrary code execution when attacker is able to modify templates"
},
{
"acknowledgments": [
{
"names": [
"Damian Bury"
]
}
],
"cve": "CVE-2021-3536",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-02-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948001"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: XSS via admin console when creating roles in domain mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw does not affect Red Hat CodeReady Studio 12 because it uses the Wildfly client only. The domain mode is not used.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3536"
},
{
"category": "external",
"summary": "RHBZ#1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly: XSS via admin console when creating roles in domain mode"
},
{
"cve": "CVE-2021-3597",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2021-02-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1970930"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3597"
},
{
"category": "external",
"summary": "RHBZ#1970930",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3597",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3597",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3597"
}
],
"release_date": "2021-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS"
},
{
"cve": "CVE-2021-3642",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"discovery_date": "2021-06-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981407"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attack in ScramServer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3642"
},
{
"category": "external",
"summary": "RHBZ#1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642"
}
],
"release_date": "2021-06-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attack in ScramServer"
},
{
"acknowledgments": [
{
"names": [
"Darran Lofthouse"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-3644",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-02-24T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1976052"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-core: Invalid Sensitivity Classification of Vault Expression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CodeReady Studio 12 is not affected by this flaw as it does not ship the vulnerable component of wildfly.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"category": "external",
"summary": "RHBZ#1976052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3644",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3644"
}
],
"release_date": "2021-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly-core: Invalid Sensitivity Classification of Vault Expression"
},
{
"cve": "CVE-2021-3690",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2021-08-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1991299"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: buffer leak on incoming websocket PONG message may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although Red Hat OpenStack Platform packages the vulnerable code in Opendaylight, it does not use or support the undertow-encapsulating features. The security impact for RHOSP is therefore rated as Low and no update will be provided at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3690"
},
{
"category": "external",
"summary": "RHBZ#1991299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3690",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3690"
}
],
"release_date": "2021-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undertow: buffer leak on incoming websocket PONG message may lead to DoS"
},
{
"cve": "CVE-2021-21295",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937364"
}
],
"notes": [
{
"category": "description",
"text": "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: possible request smuggling in HTTP/2 due missing validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21295"
},
{
"category": "external",
"summary": "RHBZ#1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: possible request smuggling in HTTP/2 due missing validation"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-28170",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-05-26T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1965497"
}
],
"notes": [
{
"category": "description",
"text": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28170"
},
{
"category": "external",
"summary": "RHBZ#1965497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28170",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28170",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28170"
},
{
"category": "external",
"summary": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/",
"url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate"
},
{
"cve": "CVE-2021-29425",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948752"
}
],
"notes": [
{
"category": "description",
"text": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module. This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29425"
},
{
"category": "external",
"summary": "RHBZ#1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:26:18+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied.\n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3658"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-commons-io-0:2.10.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-artemis-wildfly-integration-0:1.0.4-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.1-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.7-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-0:5.3.21-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-core-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-entitymanager-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-envers-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-java8-0:5.3.21-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-0:11.0.12-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-jdbc-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-cachestore-remote-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-client-hotrod-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-component-annotations-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-core-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-commons-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-spi-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-infinispan-hibernate-cache-v53-0:11.0.12-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.4.35-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.4.35-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jakarta-el-0:3.0.3-2.redhat_00006.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jberet-0:1.3.9-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jberet-core-0:1.3.9-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.23-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-8.Final_redhat_00009.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-8.Final_redhat_00009.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jgroups-kubernetes-0:1.0.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-netty-0:4.1.63-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-netty-all-0:4.1.63-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-picketbox-0:5.0.3-9.Final_redhat_00008.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-picketbox-infinispan-0:5.0.3-9.Final_redhat_00008.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.9-2.SP1_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.1-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-velocity-0:2.3.0-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-velocity-engine-core-0:2.3.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.1-2.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.5-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.5-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-http-client-common-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-ejb-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-naming-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-http-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.1-2.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-transaction-client-0:1.1.14-2.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-xalan-j2-0:2.7.1-36.redhat_00013.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-yasson-0:1.0.9-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6"
}
]
}
RHSA-2021:3660
Vulnerability from csaf_redhat - Published: 2021-09-23 16:28 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.1 security update
Severity
Important
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)
* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)
* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)
* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
6.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CWE-203 - Observable DiscrepancyAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.
CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
4.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 7
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:7.4
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
79 references
Acknowledgments
Damian Bury
Red Hat
Darran Lofthouse
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)\n\n* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)\n\n* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)\n\n* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)\n\n* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)\n\n* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3660",
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index"
},
{
"category": "external",
"summary": "1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "1965497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"
},
{
"category": "external",
"summary": "1970930",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"category": "external",
"summary": "1976052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"category": "external",
"summary": "1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "1991299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"category": "external",
"summary": "JBEAP-21231",
"url": "https://issues.redhat.com/browse/JBEAP-21231"
},
{
"category": "external",
"summary": "JBEAP-21257",
"url": "https://issues.redhat.com/browse/JBEAP-21257"
},
{
"category": "external",
"summary": "JBEAP-21258",
"url": "https://issues.redhat.com/browse/JBEAP-21258"
},
{
"category": "external",
"summary": "JBEAP-21261",
"url": "https://issues.redhat.com/browse/JBEAP-21261"
},
{
"category": "external",
"summary": "JBEAP-21263",
"url": "https://issues.redhat.com/browse/JBEAP-21263"
},
{
"category": "external",
"summary": "JBEAP-21270",
"url": "https://issues.redhat.com/browse/JBEAP-21270"
},
{
"category": "external",
"summary": "JBEAP-21276",
"url": "https://issues.redhat.com/browse/JBEAP-21276"
},
{
"category": "external",
"summary": "JBEAP-21277",
"url": "https://issues.redhat.com/browse/JBEAP-21277"
},
{
"category": "external",
"summary": "JBEAP-21281",
"url": "https://issues.redhat.com/browse/JBEAP-21281"
},
{
"category": "external",
"summary": "JBEAP-21300",
"url": "https://issues.redhat.com/browse/JBEAP-21300"
},
{
"category": "external",
"summary": "JBEAP-21309",
"url": "https://issues.redhat.com/browse/JBEAP-21309"
},
{
"category": "external",
"summary": "JBEAP-21313",
"url": "https://issues.redhat.com/browse/JBEAP-21313"
},
{
"category": "external",
"summary": "JBEAP-21472",
"url": "https://issues.redhat.com/browse/JBEAP-21472"
},
{
"category": "external",
"summary": "JBEAP-21569",
"url": "https://issues.redhat.com/browse/JBEAP-21569"
},
{
"category": "external",
"summary": "JBEAP-21777",
"url": "https://issues.redhat.com/browse/JBEAP-21777"
},
{
"category": "external",
"summary": "JBEAP-21781",
"url": "https://issues.redhat.com/browse/JBEAP-21781"
},
{
"category": "external",
"summary": "JBEAP-21818",
"url": "https://issues.redhat.com/browse/JBEAP-21818"
},
{
"category": "external",
"summary": "JBEAP-21961",
"url": "https://issues.redhat.com/browse/JBEAP-21961"
},
{
"category": "external",
"summary": "JBEAP-21978",
"url": "https://issues.redhat.com/browse/JBEAP-21978"
},
{
"category": "external",
"summary": "JBEAP-22009",
"url": "https://issues.redhat.com/browse/JBEAP-22009"
},
{
"category": "external",
"summary": "JBEAP-22084",
"url": "https://issues.redhat.com/browse/JBEAP-22084"
},
{
"category": "external",
"summary": "JBEAP-22088",
"url": "https://issues.redhat.com/browse/JBEAP-22088"
},
{
"category": "external",
"summary": "JBEAP-22160",
"url": "https://issues.redhat.com/browse/JBEAP-22160"
},
{
"category": "external",
"summary": "JBEAP-22209",
"url": "https://issues.redhat.com/browse/JBEAP-22209"
},
{
"category": "external",
"summary": "JBEAP-22318",
"url": "https://issues.redhat.com/browse/JBEAP-22318"
},
{
"category": "external",
"summary": "JBEAP-22319",
"url": "https://issues.redhat.com/browse/JBEAP-22319"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3660.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.1 security update",
"tracking": {
"current_release_date": "2026-05-14T22:25:02+00:00",
"generator": {
"date": "2026-05-14T22:25:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:3660",
"initial_release_date": "2021-09-23T16:28:54+00:00",
"revision_history": [
{
"date": "2021-09-23T16:28:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-23T22:28:15+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 7",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7",
"product_id": "Red Hat JBoss Enterprise Application Platform 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13936",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937440"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "velocity: arbitrary code execution when attacker is able to modify templates",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.\n\n* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.\n\n* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.\n\n* Although velocity shipped in Red Hat Enterprise Linux 8\u0027s pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13936"
},
{
"category": "external",
"summary": "RHBZ#1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "velocity: arbitrary code execution when attacker is able to modify templates"
},
{
"acknowledgments": [
{
"names": [
"Damian Bury"
]
}
],
"cve": "CVE-2021-3536",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-02-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948001"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). The highest threat from this vulnerability is to confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: XSS via admin console when creating roles in domain mode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw does not affect Red Hat CodeReady Studio 12 because it uses the Wildfly client only. The domain mode is not used.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3536"
},
{
"category": "external",
"summary": "RHBZ#1948001",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3536"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly: XSS via admin console when creating roles in domain mode"
},
{
"cve": "CVE-2021-3597",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2021-02-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1970930"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3597"
},
{
"category": "external",
"summary": "RHBZ#1970930",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3597",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3597",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3597"
}
],
"release_date": "2021-06-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS"
},
{
"cve": "CVE-2021-3642",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"discovery_date": "2021-06-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981407"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attack in ScramServer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3642"
},
{
"category": "external",
"summary": "RHBZ#1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642"
}
],
"release_date": "2021-06-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attack in ScramServer"
},
{
"acknowledgments": [
{
"names": [
"Darran Lofthouse"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-3644",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-02-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1976052"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-core: Invalid Sensitivity Classification of Vault Expression",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CodeReady Studio 12 is not affected by this flaw as it does not ship the vulnerable component of wildfly.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"category": "external",
"summary": "RHBZ#1976052",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3644",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3644"
}
],
"release_date": "2021-07-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "wildfly-core: Invalid Sensitivity Classification of Vault Expression"
},
{
"cve": "CVE-2021-3690",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2021-08-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1991299"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: buffer leak on incoming websocket PONG message may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although Red Hat OpenStack Platform packages the vulnerable code in Opendaylight, it does not use or support the undertow-encapsulating features. The security impact for RHOSP is therefore rated as Low and no update will be provided at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3690"
},
{
"category": "external",
"summary": "RHBZ#1991299",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3690",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3690"
}
],
"release_date": "2021-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "undertow: buffer leak on incoming websocket PONG message may lead to DoS"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-28170",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-05-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1965497"
}
],
"notes": [
{
"category": "description",
"text": "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28170"
},
{
"category": "external",
"summary": "RHBZ#1965497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1965497"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28170",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28170",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28170"
},
{
"category": "external",
"summary": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/",
"url": "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate"
},
{
"cve": "CVE-2021-29425",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948752"
}
],
"notes": [
{
"category": "description",
"text": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module. This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29425"
},
{
"category": "external",
"summary": "RHBZ#1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-23T16:28:54+00:00",
"details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3660"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6"
}
]
}
RHSA-2021:3700
Vulnerability from csaf_redhat - Published: 2021-09-30 09:57 - Updated: 2026-05-14 22:30Summary
Red Hat Security Advisory: Red Hat AMQ Broker 7.9.0 release and security update
Severity
Moderate
Notes
Topic: Red Hat AMQ Broker 7.9.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red Hat AMQ Broker 7.8.2, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS (CVE-2020-27223)
* resteasy-jaxrs: resteasy: Error message exposes endpoint class information (CVE-2021-20289)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* jetty-server: jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
* jetty-server: jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
* jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
* jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)
* commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* broker: Red Hat AMQ Broker: discloses JDBC username and password in the application log file (CVE-2021-3425)
* jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)
* jetty-server: jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)
* broker: AMQ Broker 7: Incorrect privilege in Management Console (CVE-2021-3763)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Versions shipped in Red Hat AMQ 7 are vulnerable.
4.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.
CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
4.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-613 - Insufficient Session ExpirationAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat AMQ 7.9.0
Red Hat / Red Hat JBoss AMQ
|
cpe:/a:redhat:amq_broker:7
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
88 references
Acknowledgments
Red Hat
Wai Chun Hui
Red Hat
Mudassar Iqbal
NTT DATA Germany
Dirk Papenberg
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat AMQ Broker 7.9.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red Hat AMQ Broker 7.8.2, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS (CVE-2020-27223)\n\n* resteasy-jaxrs: resteasy: Error message exposes endpoint class information (CVE-2021-20289)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* jetty-server: jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)\n\n* jetty-server: jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)\n\n* jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)\n\n* jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)\n\n* commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* broker: Red Hat AMQ Broker: discloses JDBC username and password in the application log file (CVE-2021-3425)\n\n* jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)\n\n* jetty-server: jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)\n\n* broker: AMQ Broker 7: Incorrect privilege in Management Console (CVE-2021-3763)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3700",
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.9.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.9.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4",
"url": "https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4"
},
{
"category": "external",
"summary": "1886587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886587"
},
{
"category": "external",
"summary": "1927028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028"
},
{
"category": "external",
"summary": "1934116",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934116"
},
{
"category": "external",
"summary": "1935927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"
},
{
"category": "external",
"summary": "1936629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1936629"
},
{
"category": "external",
"summary": "1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1945710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710"
},
{
"category": "external",
"summary": "1945712",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712"
},
{
"category": "external",
"summary": "1945714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714"
},
{
"category": "external",
"summary": "1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "1971016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971016"
},
{
"category": "external",
"summary": "1974891",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974891"
},
{
"category": "external",
"summary": "1985223",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1985223"
},
{
"category": "external",
"summary": "2000654",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000654"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3700.json"
}
],
"title": "Red Hat Security Advisory: Red Hat AMQ Broker 7.9.0 release and security update",
"tracking": {
"current_release_date": "2026-05-14T22:30:29+00:00",
"generator": {
"date": "2026-05-14T22:30:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:3700",
"initial_release_date": "2021-09-30T09:57:35+00:00",
"revision_history": [
{
"date": "2021-09-30T09:57:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-09-30T09:57:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:30:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat AMQ 7.9.0",
"product": {
"name": "Red Hat AMQ 7.9.0",
"product_id": "Red Hat AMQ 7.9.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_broker:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss AMQ"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13956",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2020-10-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1886587"
}
],
"notes": [
{
"category": "description",
"text": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-httpclient: incorrect handling of malformed authority component in request URIs",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.\nIn OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.\n\nIn the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13956"
},
{
"category": "external",
"summary": "RHBZ#1886587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1886587"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13956",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13956"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2020/10/08/4",
"url": "https://www.openwall.com/lists/oss-security/2020/10/08/4"
}
],
"release_date": "2020-10-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "apache-httpclient: incorrect handling of malformed authority component in request URIs"
},
{
"cve": "CVE-2020-27223",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-02-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1934116"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of \u201cquality\u201d (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-27223"
},
{
"category": "external",
"summary": "RHBZ#1934116",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934116"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-27223",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27223"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
}
],
"release_date": "2021-02-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS"
},
{
"acknowledgments": [
{
"names": [
"Wai Chun Hui"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-3425",
"cwe": {
"id": "CWE-532",
"name": "Insertion of Sensitive Information into Log File"
},
"discovery_date": "2021-03-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1936629"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Versions shipped in Red Hat AMQ 7 are vulnerable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Broker: discloses JDBC username and password in the application log file",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3425"
},
{
"category": "external",
"summary": "RHBZ#1936629",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1936629"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3425"
}
],
"release_date": "2021-03-08T20:30:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Broker: discloses JDBC username and password in the application log file"
},
{
"acknowledgments": [
{
"names": [
"Mudassar Iqbal"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2021-3763",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2021-06-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2000654"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Red Hat AMQ Broker management console in version 7.8 where an existing user is able to access some limited information even when the role the user is assigned to should not be allow access to the management console. The main impact is to confidentiality as this flaw means some role bindings are incorrectly checked, some privileged meta information such as queue names and configuration details are disclosed but the impact is limited as not all information is accessible and there is no affect to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "7: Incorrect privilege in Management Console",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3763"
},
{
"category": "external",
"summary": "RHBZ#2000654",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2000654"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3763",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3763"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3763",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3763"
}
],
"release_date": "2021-08-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "7: Incorrect privilege in Management Console"
},
{
"acknowledgments": [
{
"names": [
"Dirk Papenberg"
],
"organization": "NTT DATA Germany"
}
],
"cve": "CVE-2021-20289",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2021-03-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1935927"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method\u0027s parameter value. The highest threat from this vulnerability is to data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "resteasy: Error message exposes endpoint class information",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-20289"
},
{
"category": "external",
"summary": "RHBZ#1935927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-20289",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20289"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289"
}
],
"release_date": "2021-03-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "resteasy: Error message exposes endpoint class information"
},
{
"cve": "CVE-2021-21290",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-02-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1927028"
}
],
"notes": [
{
"category": "description",
"text": "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Information disclosure via the local system temporary directory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21290"
},
{
"category": "external",
"summary": "RHBZ#1927028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290"
}
],
"release_date": "2021-02-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Information disclosure via the local system temporary directory"
},
{
"cve": "CVE-2021-21295",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937364"
}
],
"notes": [
{
"category": "description",
"text": "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: possible request smuggling in HTTP/2 due missing validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21295"
},
{
"category": "external",
"summary": "RHBZ#1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: possible request smuggling in HTTP/2 due missing validation"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-28163",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1945710"
}
],
"notes": [
{
"category": "description",
"text": "If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Symlink directory exposes webapp directory contents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28163"
},
{
"category": "external",
"summary": "RHBZ#1945710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Symlink directory exposes webapp directory contents"
},
{
"cve": "CVE-2021-28164",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1945712"
}
],
"notes": [
{
"category": "description",
"text": "In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Ambiguous paths can access WEB-INF",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28164"
},
{
"category": "external",
"summary": "RHBZ#1945712",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28164",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Ambiguous paths can access WEB-INF"
},
{
"cve": "CVE-2021-28165",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-04-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1945714"
}
],
"notes": [
{
"category": "description",
"text": "When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: Resource exhaustion when receiving an invalid large TLS frame",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28165"
},
{
"category": "external",
"summary": "RHBZ#1945714",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28165",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w"
}
],
"release_date": "2021-04-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: Resource exhaustion when receiving an invalid large TLS frame"
},
{
"cve": "CVE-2021-28169",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-06-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1971016"
}
],
"notes": [
{
"category": "description",
"text": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 8 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 7 ships the vulnerable component of jetty, but only in the optional repository and thus this flaw is out of support scope for Red Hat Enterprise Linux 7.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28169"
},
{
"category": "external",
"summary": "RHBZ#1971016",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971016"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28169",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169"
}
],
"release_date": "2021-06-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory"
},
{
"cve": "CVE-2021-29425",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1948752"
}
],
"notes": [
{
"category": "description",
"text": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module. This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-29425"
},
{
"category": "external",
"summary": "RHBZ#1948752",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425"
}
],
"release_date": "2021-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6"
},
{
"cve": "CVE-2021-34428",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2021-06-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1974891"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: SessionListener can prevent a session from being invalidated breaking logout",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.\n\nOCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as wontifx.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34428"
},
{
"category": "external",
"summary": "RHBZ#1974891",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974891"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34428",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6"
}
],
"release_date": "2021-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
},
{
"category": "workaround",
"details": "Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.",
"product_ids": [
"Red Hat AMQ 7.9.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jetty: SessionListener can prevent a session from being invalidated breaking logout"
},
{
"cve": "CVE-2021-34429",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-07-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1985223"
}
],
"notes": [
{
"category": "description",
"text": "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 \u0026 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jetty: crafted URIs allow bypassing security constraints",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as \"ooss\".\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat AMQ 7.9.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-34429"
},
{
"category": "external",
"summary": "RHBZ#1985223",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1985223"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-34429",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34429"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34429",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34429"
}
],
"release_date": "2021-07-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-09-30T09:57:35+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat AMQ 7.9.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3700"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat AMQ 7.9.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jetty: crafted URIs allow bypassing security constraints"
}
]
}
RHSA-2021:3880
Vulnerability from csaf_redhat - Published: 2021-10-20 11:29 - Updated: 2026-05-14 22:31Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.2.3 release and security update
Severity
Moderate
Notes
Topic: An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 2.2.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* maven: Block repositories using http by default (CVE-2021-26291)
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* resteasy: Error message exposes endpoint class information (CVE-2021-20289)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
CWE-203 - Observable DiscrepancyAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.
6.2 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in maven. Repositories that are defined in a dependency’s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.
7.4 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Quarkus 2.2.3
Red Hat / Red Hat build of Quarkus
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
45 references
Acknowledgments
NTT DATA Germany
Dirk Papenberg
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.2.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* maven: Block repositories using http by default (CVE-2021-26291)\n\n* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)\n\n* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* resteasy: Error message exposes endpoint class information (CVE-2021-20289)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3880",
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=2.2.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=2.2.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.2/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.2/"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "1927028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028"
},
{
"category": "external",
"summary": "1930423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
},
{
"category": "external",
"summary": "1935927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"
},
{
"category": "external",
"summary": "1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3880.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.2.3 release and security update",
"tracking": {
"current_release_date": "2026-05-14T22:31:36+00:00",
"generator": {
"date": "2026-05-14T22:31:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2021:3880",
"initial_release_date": "2021-10-20T11:29:22+00:00",
"revision_history": [
{
"date": "2021-10-20T11:29:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-10-20T11:29:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:31:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 2.2.3",
"product": {
"name": "Red Hat build of Quarkus 2.2.3",
"product_id": "Red Hat build of Quarkus 2.2.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-28491",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-02-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1930423"
}
],
"notes": [
{
"category": "description",
"text": "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jackson-dataformat-cbor.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nIn OCP 4.6 the openshift4/ose-logging-elasticsearch6 container delivers the vulnerable version of jackson-dataformat-cbor, but OCP 4.6 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support, hence this component is marked as ooss. Since the release of OCP 4.7 this component is delivered as part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8 container).\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-28491"
},
{
"category": "external",
"summary": "RHBZ#1930423",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930423"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-28491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28491"
},
{
"category": "external",
"summary": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329"
}
],
"release_date": "2021-02-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception"
},
{
"cve": "CVE-2021-3642",
"cwe": {
"id": "CWE-203",
"name": "Observable Discrepancy"
},
"discovery_date": "2021-06-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981407"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attack in ScramServer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3642"
},
{
"category": "external",
"summary": "RHBZ#1981407",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981407"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3642",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3642"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3642"
}
],
"release_date": "2021-06-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attack in ScramServer"
},
{
"acknowledgments": [
{
"names": [
"Dirk Papenberg"
],
"organization": "NTT DATA Germany"
}
],
"cve": "CVE-2021-20289",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2021-03-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1935927"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method\u0027s parameter value. The highest threat from this vulnerability is to data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "resteasy: Error message exposes endpoint class information",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-20289"
},
{
"category": "external",
"summary": "RHBZ#1935927",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-20289",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20289"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289"
}
],
"release_date": "2021-03-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "resteasy: Error message exposes endpoint class information"
},
{
"cve": "CVE-2021-21290",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-02-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1927028"
}
],
"notes": [
{
"category": "description",
"text": "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Information disclosure via the local system temporary directory",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21290"
},
{
"category": "external",
"summary": "RHBZ#1927028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290"
}
],
"release_date": "2021-02-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "netty: Information disclosure via the local system temporary directory"
},
{
"cve": "CVE-2021-21295",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937364"
}
],
"notes": [
{
"category": "description",
"text": "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: possible request smuggling in HTTP/2 due missing validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21295"
},
{
"category": "external",
"summary": "RHBZ#1937364",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: possible request smuggling in HTTP/2 due missing validation"
},
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-26291",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1955739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in maven. Repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "maven: Block repositories using http by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 2.2.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-26291"
},
{
"category": "external",
"summary": "RHBZ#1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-26291",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26291"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291"
},
{
"category": "external",
"summary": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291",
"url": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291"
}
],
"release_date": "2021-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-20T11:29:22+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3880"
},
{
"category": "workaround",
"details": "To avoid possible man-in-the-middle related attacks with this flaw, ensure any linked repositories in maven POMs use https and not http.",
"product_ids": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 2.2.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "maven: Block repositories using http by default"
}
]
}
RHSA-2021:5127
Vulnerability from csaf_redhat - Published: 2021-12-14 18:38 - Updated: 2026-05-23 14:30Summary
Red Hat Security Advisory: Openshift Logging security and bug update (5.2.4)
Severity
Moderate
Notes
Topic: An update is now available for OpenShift Logging 5.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Openshift Logging Security and Bug Fix Release (5.2.4)
Security Fix(es):
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x | — |
Vendor Fix
fix
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le | — |
Threats
Impact
Moderate
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x | — |
Vendor Fix
fix
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le | — |
Threats
Impact
Moderate
A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x | — |
Vendor Fix
fix
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le | — |
Threats
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
References
41 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for OpenShift Logging 5.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Openshift Logging Security and Bug Fix Release (5.2.4)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:5127",
"url": "https://access.redhat.com/errata/RHSA-2021:5127"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "LOG-1775",
"url": "https://issues.redhat.com/browse/LOG-1775"
},
{
"category": "external",
"summary": "LOG-1824",
"url": "https://issues.redhat.com/browse/LOG-1824"
},
{
"category": "external",
"summary": "LOG-1963",
"url": "https://issues.redhat.com/browse/LOG-1963"
},
{
"category": "external",
"summary": "LOG-1970",
"url": "https://issues.redhat.com/browse/LOG-1970"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5127.json"
}
],
"title": "Red Hat Security Advisory: Openshift Logging security and bug update (5.2.4)",
"tracking": {
"current_release_date": "2026-05-23T14:30:40+00:00",
"generator": {
"date": "2026-05-23T14:30:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2021:5127",
"initial_release_date": "2021-12-14T18:38:45+00:00",
"revision_history": [
{
"date": "2021-12-14T18:38:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-14T18:38:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-23T14:30:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Logging 5.2",
"product": {
"name": "OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:logging:5.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.2.4-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.2.4-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-67"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"product": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-44"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"product": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"product_id": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"product_identification_helper": {
"purl": "pkg:oci/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-47"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-66"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-64"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"product_id": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-71"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"product_id": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-74"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.2.4-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.2.4-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-67"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"product": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-44"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le",
"product": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le",
"product_id": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-47"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-66"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-64"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"product_id": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-71"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"product_id": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-74"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.2.4-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"product": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.2.4-17"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.2.4-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"product": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.2.4-17"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-67"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"product": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-44"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"product": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"product_id": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"product_identification_helper": {
"purl": "pkg:oci/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-47"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-66"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-64"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"product_id": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-71"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"product_id": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-74"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64"
},
"product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64"
},
"product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x"
},
"product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64"
},
"product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le"
},
"product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64 as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64"
},
"product_reference": "openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x"
},
"product_reference": "openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le as a component of OpenShift Logging 5.2",
"product_id": "8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
},
"product_reference": "openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:38:45+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5127"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-37136",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004133"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37136"
},
{
"category": "external",
"summary": "RHBZ#2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:38:45+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5127"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data"
},
{
"cve": "CVE-2021-37137",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37137"
},
{
"category": "external",
"summary": "RHBZ#2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:38:45+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5127"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:38:45+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5127"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
},
{
"cve": "CVE-2021-45046",
"cwe": {
"id": "CWE-917",
"name": "Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)"
},
"discovery_date": "2021-12-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2032580"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-45046"
},
{
"category": "external",
"summary": "RHBZ#2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2021-44228",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:38:45+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.2, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5127"
},
{
"category": "workaround",
"details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).",
"product_ids": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-operator-bundle@sha256:0f2ab3b589e2945e2aae7a6d520f1b696c8a95292580c24b659a1579e3c857f6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:82cbec57284b21e914fad6fe3ea8244932a735da4aca2a9c74ced7689767c0b2_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:be71a022fe66b9dca3aecf7df3b9fd81e42f7f46f039ce1ae8778dcc332162e1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/cluster-logging-rhel8-operator@sha256:e99648fe21236aef69ca9f2def30fc4970983d8835f55fbfe8d5c804ebd0e9b6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-operator-bundle@sha256:9dcc85f510f69be9e97888d5ad32629bc23554c47d8ebe397932933b289a35c2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:7fdb8b62f8fb7d1469dba362fb1d91239b31437b0be150732845a6e9eb325ef6_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:887c26a6c4356b64c9802fb3b870f79eb98a8f0f2ad1b2bbebd086c936c68fe5_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-proxy-rhel8@sha256:8d8f0cc525b00a39583ba6cdd87253c17487a9366f5fa0d6011d23e5814fd95d_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:5ee8c4ba3f91bcbb3cfa0eb2b91d3f5b04450fa2f0415e46b40b634b280e54c7_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:d8ce76443afdf4361842c2f6da80d939b2bb86081076d41e5bcb1b9858380c43_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch-rhel8-operator@sha256:ef2c1f7249a377b940bbdd2d52e2ab53ed6283f4e4d1290da6bb3edbb2109294_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:33f40783cb6ac656b56a6c64208f38ef17ab8023171321551be2cd14876a1418_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:42152d9ca72d1d7d9e24386f8144382b1c4309e11b179ad18206efa7758d07c6_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/elasticsearch6-rhel8@sha256:c8a03e59904b96bac438e2607094dff1e652c7c42ddbba31006f7760cf17b9d8_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:0796e6b8d8da736d5841d9ddeb076fdc1ca26022643f0e370bfda023f212df39_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:b565f6ce66b74161a0b6dc19246b42754db2c54a01e7f2314994544ccd514f34_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/eventrouter-rhel8@sha256:ce98ee3a74cbabe1a5eb4d2c647389824b1a3ffe7d2051668a1aac9fe1ec2dc7_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:0e10ff493ad914b7011291590e497c27cca51a587d28e9d2bd1bc89154c2b133_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:685d7f18502ac2a24a37cdb9ae74616098d3843f80e9d9f0e8dd27930ca174a9_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/fluentd-rhel8@sha256:7dd06969de6e2d0345fb6595c24526e184030a1d2c50ffae0d201f0bfd33abb4_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:a2d914120d489c00d8d8c40cf9f1fa1ba627c5e386fc113ae9299113dee253ca_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d5c47750ae81e99b3cc4f9f71127cb394b69b747177c08c53768df8b8b52ba65_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/kibana6-rhel8@sha256:d7fa8453d07409cd344cde67e772fb4d2941398b853ce1ea3bcaf6135d5645c1_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:67e23735a1005bb7f06d3f05677bfe8c38bccc5bfc1cc4cf16832ddeda29931a_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:9c2decd7838d0e1a56c27ff7fa8af82ed2ac33d0618240b80d26fd932f5804f2_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/log-file-metric-exporter-rhel8@sha256:cb884b83fecaa7d6f4aae548fd299568edf59feb5d752704dcd4598b1f826ff1_ppc64le",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:1982a509b8a209720b92fba4812a3fcc5ce0e519908cdec876beb92f895699fa_amd64",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:66e46f68e5313e4f58cfd3b6fccb8edeb97a574210bff799d0bd5471b73f9f62_s390x",
"8Base-OSE-LOGGING-5.2:openshift-logging/logging-curator5-rhel8@sha256:d3b3ab31d012a82acb832e705f1a5ba60912d1b32dd035fad9106f1088de35a8_ppc64le"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-05-01T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)"
}
]
}
RHSA-2021:5128
Vulnerability from csaf_redhat - Published: 2021-12-14 18:09 - Updated: 2026-05-23 14:30Summary
Red Hat Security Advisory: Openshift Logging security and bug update (5.1.5)
Severity
Moderate
Notes
Topic: An update is now available for OpenShift Logging 5.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Openshift Logging Security and Bug Fix Release (5.1.5)
Security Fix(es):
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le | — |
Vendor Fix
fix
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le | — |
Vendor Fix
fix
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le | — |
Vendor Fix
fix
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
References
38 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for OpenShift Logging 5.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Openshift Logging Security and Bug Fix Release (5.1.5)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:5128",
"url": "https://access.redhat.com/errata/RHSA-2021:5128"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "LOG-1971",
"url": "https://issues.redhat.com/browse/LOG-1971"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5128.json"
}
],
"title": "Red Hat Security Advisory: Openshift Logging security and bug update (5.1.5)",
"tracking": {
"current_release_date": "2026-05-23T14:30:40+00:00",
"generator": {
"date": "2026-05-23T14:30:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2021:5128",
"initial_release_date": "2021-12-14T18:09:12+00:00",
"revision_history": [
{
"date": "2021-12-14T18:09:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-14T18:09:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-23T14:30:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Logging 5.1",
"product": {
"name": "OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:logging:5.1::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.5-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.5-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-68"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-67"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-65"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"product_id": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-72"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"product_id": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-75"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.5-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.5-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-68"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-67"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-65"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"product_id": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-72"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"product_id": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-75"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.1.5-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"product": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.1.5-9"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.1.5-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"product": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.1.5-10"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-68"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-67"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-65"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"product_id": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-72"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64",
"product_id": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-75"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64"
},
"product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64"
},
"product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64 as a component of OpenShift Logging 5.1",
"product_id": "8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:09:12+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5128"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-37136",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004133"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37136"
},
{
"category": "external",
"summary": "RHBZ#2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:09:12+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5128"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data"
},
{
"cve": "CVE-2021-37137",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37137"
},
{
"category": "external",
"summary": "RHBZ#2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:09:12+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5128"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:09:12+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5128"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
},
{
"cve": "CVE-2021-45046",
"cwe": {
"id": "CWE-917",
"name": "Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)"
},
"discovery_date": "2021-12-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2032580"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-45046"
},
{
"category": "external",
"summary": "RHBZ#2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2021-44228",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T18:09:12+00:00",
"details": "For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5128"
},
{
"category": "workaround",
"details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).",
"product_ids": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-operator-bundle@sha256:9ff35e6d560796a50b470c75ba6862cc79c6d9e30074e4a3f2c606fae3722956_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:64a4376815864ae9b521396b510a0d1627665142b14cd3c2e3aa9452231a542e_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:70aca191fa4fe95e857f8cba3925d88e9965e8c868c6362e00ad0ce912360a99_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/cluster-logging-rhel8-operator@sha256:76573c99dcd3f44e6bc81b018867ee3bfe3c33ea1878c63675a39e85b4c72de5_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-operator-bundle@sha256:862602f0b5cf3dc1bdd69f236d09a4bf1630fdd77e7faf30a1f4858558360202_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:09eb62fb9c67251f67cf13bbd840c274d879285cb3151e4540df5c9e286debff_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:551c671792f1d97cf00b1c52b8645d6aa734655bc834f280013408e2d6101b81_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-proxy-rhel8@sha256:c57ce065696844f5c5d0e09969d228f79423b2d1d2f97a5a539c87fb3de63793_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:0807527589e608dec6aa6f94cccac8cf89331a86cdb193139f88c375604c9afe_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:2467fb3d733e318b3ce1474301361af0247580b7abf9b8b2d3482707d0272949_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch-rhel8-operator@sha256:5e9ed1c4e59daccc7ed0a3418900f8088f8307016311b670e7d23be304b61f36_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:315b9b9057b2893d0e14fe7c3e2809066ce90b5b42863934de93734ee26d212c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:711054937975c1e7061381bdcadd90ca8192648624888b6ba999dbedf616f8ed_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/elasticsearch6-rhel8@sha256:fca86030c0886e0c41d4000d4907e6a58717b95c206d34dba5197d44aa8d6d02_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:b85c8866c068409bee0b7f162e3a5f04c075c221d04bc7f6347ca3f9e022840a_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:c47fda436df07eaab5a3878c37c43b6ce401c216f5207a6d9b2d1017d5ad1a62_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/eventrouter-rhel8@sha256:cb3c3b89d3969a1ffe6b11b343cda4c074f3f87572dfc2b6b4d681802b4c420c_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:623dd6d9c57ed7c44e57f5f7ddfbc5b16dc986b86a20188781ebefdde9f87f0d_amd64",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:760f9ed42e7634fc246fc638985802d84df561d87c80628ba7bf7db8543e0007_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/fluentd-rhel8@sha256:8a21d9ea3bcc997ddaa38cf7115b8ad982d9e019beece3dd52a027aeaf211c3e_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:2d9f4a1319755cdfdf5e1cf8bd7a12edc6e17b5a85fef5f10a067e5a936a095b_s390x",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:b3cdddf65666934636aa6a6a7cf3c9f00d4f793cfb0b9eef8e0aacf04b6fb7c0_ppc64le",
"8Base-OSE-LOGGING-5.1:openshift-logging/kibana6-rhel8@sha256:f68496878ed86375e0d28d4b01d1686e1af078582710576fcb8a1a4b7c6ec20f_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-05-01T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)"
}
]
}
RHSA-2021:5129
Vulnerability from csaf_redhat - Published: 2021-12-14 19:37 - Updated: 2026-05-23 14:30Summary
Red Hat Security Advisory: Openshift Logging security and bug update (5.3.1)
Severity
Moderate
Notes
Topic: An update is now available for OpenShift Logging 5.3.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Openshift Logging Security and Bug Fix Release (5.3.1)
Security Fix(es):
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.
5.9 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le | — |
Vendor Fix
fix
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x | — |
Threats
Impact
Moderate
A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le | — |
Vendor Fix
fix
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x | — |
Threats
Impact
Moderate
A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le | — |
Vendor Fix
fix
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 | — | ||
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x | — |
Threats
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.
8.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le | — |
Vendor Fix
fix
Workaround
|
Known not affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Moderate
References
40 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for OpenShift Logging 5.3.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Openshift Logging Security and Bug Fix Release (5.3.1)\n\nSecurity Fix(es):\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:5129",
"url": "https://access.redhat.com/errata/RHSA-2021:5129"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "LOG-1897",
"url": "https://issues.redhat.com/browse/LOG-1897"
},
{
"category": "external",
"summary": "LOG-1925",
"url": "https://issues.redhat.com/browse/LOG-1925"
},
{
"category": "external",
"summary": "LOG-1962",
"url": "https://issues.redhat.com/browse/LOG-1962"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_5129.json"
}
],
"title": "Red Hat Security Advisory: Openshift Logging security and bug update (5.3.1)",
"tracking": {
"current_release_date": "2026-05-23T14:30:42+00:00",
"generator": {
"date": "2026-05-23T14:30:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2021:5129",
"initial_release_date": "2021-12-14T19:37:00+00:00",
"revision_history": [
{
"date": "2021-12-14T19:37:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-12-14T19:37:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-23T14:30:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Logging 5.3",
"product": {
"name": "OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:logging:5.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.3.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.3.1-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-66"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"product": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"product_identification_helper": {
"purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-43"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x",
"product": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x",
"product_id": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-46"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-65"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-63"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"product_id": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-70"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"product_id": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258?arch=s390x\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-73"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.3.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.3.1-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-66"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"product": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-43"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"product": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"product_id": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-46"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-65"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-63"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"product_id": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-70"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"product_id": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-73"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"product": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"product_id": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-rhel8-operator\u0026tag=v5.3.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"product": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"product_id": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"product_identification_helper": {
"purl": "pkg:oci/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/cluster-logging-operator-bundle\u0026tag=v5.3.1-12"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"product": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"product_id": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-rhel8-operator\u0026tag=v5.3.1-3"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"product": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"product_id": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-operator-bundle\u0026tag=v5.3.1-12"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"product": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"product_id": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch-proxy-rhel8\u0026tag=v1.0.0-66"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"product": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"product_id": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/log-file-metric-exporter-rhel8\u0026tag=v1.0.0-43"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"product": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"product_id": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"product_identification_helper": {
"purl": "pkg:oci/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/logging-curator5-rhel8\u0026tag=v5.8.1-46"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"product": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"product_id": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/elasticsearch6-rhel8\u0026tag=v6.8.1-65"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"product": {
"name": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"product_id": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/eventrouter-rhel8\u0026tag=v0.3.0-63"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"product": {
"name": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"product_id": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"product_identification_helper": {
"purl": "pkg:oci/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/fluentd-rhel8\u0026tag=v1.7.4-70"
}
}
},
{
"category": "product_version",
"name": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"product": {
"name": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"product_id": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0?arch=amd64\u0026repository_url=registry.redhat.io/openshift-logging/kibana6-rhel8\u0026tag=v6.8.1-73"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64"
},
"product_reference": "openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64"
},
"product_reference": "openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64"
},
"product_reference": "openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x"
},
"product_reference": "openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
},
"product_reference": "openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le"
},
"product_reference": "openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64"
},
"product_reference": "openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64"
},
"product_reference": "openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le"
},
"product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x"
},
"product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64"
},
"product_reference": "openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le"
},
"product_reference": "openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64 as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64"
},
"product_reference": "openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x as a component of OpenShift Logging 5.3",
"product_id": "8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
},
"product_reference": "openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x",
"relates_to_product_reference": "8Base-OSE-LOGGING-5.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21409",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2021-03-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1944888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: Request smuggling via content-length header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-21409"
},
{
"category": "external",
"summary": "RHBZ#1944888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32",
"url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32"
}
],
"release_date": "2021-03-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T19:37:00+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5129"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: Request smuggling via content-length header"
},
{
"cve": "CVE-2021-37136",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004133"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37136"
},
{
"category": "external",
"summary": "RHBZ#2004133",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004133"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T19:37:00+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5129"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data"
},
{
"cve": "CVE-2021-37137",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2004135"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Netty\u0027s netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-37137"
},
{
"category": "external",
"summary": "RHBZ#2004135",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2004135"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv",
"url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"
}
],
"release_date": "2021-09-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T19:37:00+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5129"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T19:37:00+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5129"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
},
{
"cve": "CVE-2021-45046",
"cwe": {
"id": "CWE-917",
"name": "Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)"
},
"discovery_date": "2021-12-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2032580"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"known_not_affected": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-45046"
},
{
"category": "external",
"summary": "RHBZ#2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2021-44228",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-12-14T19:37:00+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:5129"
},
{
"category": "workaround",
"details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).",
"product_ids": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-operator-bundle@sha256:90c3bac2bd24cf79249202fc7e7124c602fabb929147bcb5b98564a601b73b05_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:06ef75fc95f01c81ff8effe58060b0c7eada7436a4657087af7dcf34779b78a9_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:a8c9d81be0f59bf60bcdc03584d8093812a8552cb4e5f2926ae8474e41b193b2_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/cluster-logging-rhel8-operator@sha256:d16e91e1aeaac45aa51b7f2b0ebe548faa74b141e644e964f94c8ae4b5adc338_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-operator-bundle@sha256:f9eac45d398c5772be52b65e2d6e0bb857a60a4e0f4c789e5c72473855ba2b41_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:ab6b5992f1718a79b26cab831a3f96c46ac2354e34d7488576830e2e5e5f949c_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:e6d806d2223dc344244469a89430d9e60d5d4310e6ed626a6d6b0dfe5d191aa5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-proxy-rhel8@sha256:fb217034ad478016ece30afe0f892f407e0b5f8e7931962a1376310f87bb6e08_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:75cfb6204d4d74460451dbc0d3f046235f3f00261f5124e4c2616e6ef17e76ca_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:aa4897baa35b4d3c5d2f1b64ecc384bfd0088233da29b50da562622a01da71cd_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch-rhel8-operator@sha256:ee5026614e766aaaf52ba6437577c94235e2021d8d82b13d90960220d27d8ff8_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:458c0ecce2582cdaad4b1a179ba7cf22a3831fab833e8b38b6001662cef088d9_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:55fb246ff597b28fff584042a6dd86f3b0de83e1271e151aeb7836e1c127f08e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/elasticsearch6-rhel8@sha256:cbfac57572671eb995342bfd97e2671b60434ea688a759d05c61176ec4c6e49c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:959a047204a93d8d6460fafa7616ff154e8feb08a7c05d6867f99ec1a87ebf73_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:9f5f2df7b88610ec8ca085d2c48d527f3863b8c7e865786090df3040a51bda69_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/eventrouter-rhel8@sha256:c4480951503ca7072e946b1fde63bc7ef45eb60c7d62a8a2d204e972884266be_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:8e6e030a092c94af29c0fc50f79abcfd058aee14d929dfaea457bb39891c57fe_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e460881db1614b5fabbd938fa674f82e90524beb54ae2619acaf50665785892e_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/fluentd-rhel8@sha256:e5bab509f084458d27d3bb32fd82132ce03523bbec45ce4aa8f68837c0cfc2db_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:0599610c8e53b621fa1a6079cdc636477b38d5d1747c7221d67dda1b4a362258_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:588c93bed798115647759a8fa778fe5c0f4110ff31f863718453105d04c0a6f8_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/kibana6-rhel8@sha256:ba0909befb1bcc75437a1b389032e8cf9526692a5ee2ad610df0acd870aba9f0_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:41f878aefc6559950120527e2ae422a79c3d768b00885a5426fcae655aaae8b7_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:542269634b1bf21cb986f1618161b7b50f7871d61286e43d2b9acf39abf745f0_s390x",
"8Base-OSE-LOGGING-5.3:openshift-logging/log-file-metric-exporter-rhel8@sha256:daaf25c751e4562a4a06d4e30f33db2b01a2557e03053afc2dc4a85377ab4dc5_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:5eed6d7086407a59ff8a0750b64fc9b245dd12551db404bc13b9a4cd35a60c8c_ppc64le",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:9abe7a5c17765cce39f514185e81d19045370098f5cf44c444f401324c527c78_amd64",
"8Base-OSE-LOGGING-5.3:openshift-logging/logging-curator5-rhel8@sha256:cd0808c73ea0fb52b679800fd90641578d0788cb0cb63419b2c6c8d6c385da7d_s390x"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-05-01T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…