csaf_redhat - rhsa-2022

rhsa-2022_4985

Vulnerability from csaf_redhat

Published

2022-06-09 18:55

Modified

2024-11-15 14:52

Summary

Red Hat Security Advisory: Cryostat 2.1.1: new Cryostat on RHEL 8 container images

Notes

Topic

New Cryostat 2.1.1 on RHEL 8 container images are now available

Details

New Cryostat 2.1.1 on RHEL 8 container images have been released, containing bug fixes and addressing the following security vulnerabilities: CVE-2022-25647, CVE-2022-28948 (see References) Users of Cryostat 2 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues and fix these bugs. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References).

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Cryostat 2.1.1 on RHEL 8 container images are now available",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "New Cryostat 2.1.1 on RHEL 8 container images have been released, containing bug fixes and addressing the following security vulnerabilities: CVE-2022-25647, CVE-2022-28948 (see References)\n\nUsers of Cryostat 2 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues and fix these bugs. Users of these images are also encouraged to rebuild all container images that depend on these images.\n\nYou can find images updated by this advisory in Red Hat Container Catalog (see References).",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:4985",
        "url": "https://access.redhat.com/errata/RHSA-2022:4985"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2080850",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2080850"
      },
      {
        "category": "external",
        "summary": "2088748",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088748"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_4985.json"
      }
    ],
    "title": "Red Hat Security Advisory: Cryostat 2.1.1: new Cryostat on RHEL 8 container images",
    "tracking": {
      "current_release_date": "2024-11-15T14:52:17+00:00",
      "generator": {
        "date": "2024-11-15T14:52:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2022:4985",
      "initial_release_date": "2022-06-09T18:55:22+00:00",
      "revision_history": [
        {
          "date": "2022-06-09T18:55:22+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-06-09T18:55:22+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T14:52:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Cryostat 2 on RHEL 8",
                "product": {
                  "name": "Cryostat 2 on RHEL 8",
                  "product_id": "8Base-Cryostat-2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cryostat:2::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Cryostat"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-reports-rhel8\u0026tag=1.0.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-rhel8\u0026tag=2.1.1-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-operator-bundle\u0026tag=2.1.1-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
                "product": {
                  "name": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
                  "product_id": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/cryostat-rhel8-operator\u0026tag=2.1.1-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64",
                "product": {
                  "name": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64",
                  "product_id": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c?arch=amd64\u0026repository_url=registry.redhat.io/cryostat-tech-preview/jfr-datasource-rhel8\u0026tag=2.1.0-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64"
        },
        "product_reference": "cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64 as a component of Cryostat 2 on RHEL 8",
          "product_id": "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
        },
        "product_reference": "cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64",
        "relates_to_product_reference": "8Base-Cryostat-2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-25647",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2022-05-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2080850"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-25647"
        },
        {
          "category": "external",
          "summary": "RHBZ#2080850",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2080850"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25647",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647"
        }
      ],
      "release_date": "2022-05-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-09T18:55:22+00:00",
          "details": "The Cryostat 2 on RHEL 8 container images provided by this update can be downloaded from the Red Hat Container Registry at registry.redhat.io. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:4985"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson"
    },
    {
      "cve": "CVE-2022-28948",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2022-05-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2088748"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Unmarshal function in Go-Yaml. This vulnerability results in program crashes when attempting to convert (or deserialize) invalid input data, potentially impacting system stability and reliability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang-gopkg-yaml: crash when attempting to deserialize invalid input",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat has designated the CVE rating as \u0027moderate\u0027 as exploitation of Red Hat products is contingent upon the attacker being authenticated when sending the malicious XML payload.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
          "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-28948"
        },
        {
          "category": "external",
          "summary": "RHBZ#2088748",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088748"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-28948",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-28948"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-28948",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28948"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-hp87-p4gw-j4gq",
          "url": "https://github.com/advisories/GHSA-hp87-p4gw-j4gq"
        }
      ],
      "release_date": "2022-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-09T18:55:22+00:00",
          "details": "The Cryostat 2 on RHEL 8 container images provided by this update can be downloaded from the Red Hat Container Registry at registry.redhat.io. Installation instructions for your platform are available at Red Hat Container Catalog (see References).\n\nDockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.",
          "product_ids": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:4985"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-operator-bundle@sha256:701458696ba8788f5c2516e7dd892b4bee992d3d9af6888aa6f4d6a203c8a8b8_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-reports-rhel8@sha256:6634699c642304eccb56c23d5e69cb85c064d1bf05b42e36d35ba9e91ff87b82_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8-operator@sha256:9e076c0cde640b4cd9a40039325fb103ac417579164aca3b93af2de5ee5a84e9_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/cryostat-rhel8@sha256:1e5dc2468c07b0ea10efa4568be3031f78c79fd3fef44dfe3f739299b2baf6e5_amd64",
            "8Base-Cryostat-2:cryostat-tech-preview/jfr-datasource-rhel8@sha256:dbeb06612d63011778a7a5545b74c347368515133ee557eb25ed84857469138c_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang-gopkg-yaml: crash when attempting to deserialize invalid input"
    }
  ]
}

cve-2022-28948

Vulnerability from cvelistv5

Published

2022-05-19 19:59

Modified

2024-08-03 06:10

Severity ?

Summary

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

References

▼	URL	Tags
	https://github.com/go-yaml/yaml/issues/666	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20220923-0006/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:10:57.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/go-yaml/yaml/issues/666"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-23T14:06:21",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-yaml/yaml/issues/666"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-28948",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/go-yaml/yaml/issues/666",
              "refsource": "MISC",
              "url": "https://github.com/go-yaml/yaml/issues/666"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220923-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220923-0006/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-28948",
    "datePublished": "2022-05-19T19:59:30",
    "dateReserved": "2022-04-11T00:00:00",
    "dateUpdated": "2024-08-03T06:10:57.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-25647

Vulnerability from cvelistv5

Published

2022-05-01 15:30

Modified

2024-09-17 03:32

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Summary

Deserialization of Untrusted Data

References

▼	URL	Tags
	https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327	x_refsource_MISC
	https://github.com/google/gson/pull/1991	x_refsource_MISC
	https://github.com/google/gson/pull/1991/commits	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20220901-0009/	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2022/dsa-5227	vendor-advisory, x_refsource_DEBIAN

Impacted products

▼	Vendor	Product
	n/a	com.google.code.gson:gson

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:42:50.328Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/google/gson/pull/1991"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/google/gson/pull/1991/commits"
          },
          {
            "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220901-0009/"
          },
          {
            "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
          },
          {
            "name": "DSA-5227",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5227"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "com.google.code.gson:gson",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "2.8.9",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marcono1234"
        }
      ],
      "datePublic": "2022-05-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Deserialization of Untrusted Data",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-07T20:06:16",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/google/gson/pull/1991"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/google/gson/pull/1991/commits"
        },
        {
          "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220901-0009/"
        },
        {
          "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
        },
        {
          "name": "DSA-5227",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5227"
        }
      ],
      "title": "Deserialization of Untrusted Data",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "DATE_PUBLIC": "2022-05-01T15:25:25.581039Z",
          "ID": "CVE-2022-25647",
          "STATE": "PUBLIC",
          "TITLE": "Deserialization of Untrusted Data"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "com.google.code.gson:gson",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.8.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Marcono1234"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
            },
            {
              "name": "https://github.com/google/gson/pull/1991",
              "refsource": "MISC",
              "url": "https://github.com/google/gson/pull/1991"
            },
            {
              "name": "https://github.com/google/gson/pull/1991/commits",
              "refsource": "MISC",
              "url": "https://github.com/google/gson/pull/1991/commits"
            },
            {
              "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220901-0009/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220901-0009/"
            },
            {
              "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
            },
            {
              "name": "DSA-5227",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5227"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2022-25647",
    "datePublished": "2022-05-01T15:30:29.223346Z",
    "dateReserved": "2022-02-24T00:00:00",
    "dateUpdated": "2024-09-17T03:32:46.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2022_4985

Vulnerability from csaf_redhat

cve-2022-28948

Vulnerability from cvelistv5

cve-2022-25647

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature