rhsa-2022_8524
Vulnerability from csaf_redhat
Published
2022-11-17 13:40
Modified
2024-11-06 02:02
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.4.0 security update

Notes

Topic
An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3]. Security Fix(es): * prismjs: improperly escaped output allows a XSS (CVE-2022-23647) * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * netty: world readable temporary file containing sensitive data (CVE-2022-24823) * snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749) * snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750) * snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751) * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* prismjs: improperly escaped output allows a XSS (CVE-2022-23647)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235)\n\n* netty: world readable temporary file containing sensitive data (CVE-2022-24823)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:8524",
        "url": "https://access.redhat.com/errata/RHSA-2022:8524"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches",
        "url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index"
      },
      {
        "category": "external",
        "summary": "2044591",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044591"
      },
      {
        "category": "external",
        "summary": "2056643",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2056643"
      },
      {
        "category": "external",
        "summary": "2087186",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087186"
      },
      {
        "category": "external",
        "summary": "2126789",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
      },
      {
        "category": "external",
        "summary": "2129706",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
      },
      {
        "category": "external",
        "summary": "2129707",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
      },
      {
        "category": "external",
        "summary": "2129709",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
      },
      {
        "category": "external",
        "summary": "2129710",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8524.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Data Grid 8.4.0 security update",
    "tracking": {
      "current_release_date": "2024-11-06T02:02:50+00:00",
      "generator": {
        "date": "2024-11-06T02:02:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2022:8524",
      "initial_release_date": "2022-11-17T13:40:01+00:00",
      "revision_history": [
        {
          "date": "2022-11-17T13:40:01+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-11-17T13:40:01+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T02:02:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Data Grid 8.4.0",
                "product": {
                  "name": "Red Hat Data Grid 8.4.0",
                  "product_id": "Red Hat Data Grid 8.4.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_data_grid:8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Data Grid"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-0235",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "discovery_date": "2022-01-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2044591"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in node-fetch. When following a redirect to a third-party domain, node-fetch was forwarding sensitive headers such as \"Authorization,\" \"WWW-Authenticate,\" and \"Cookie\" to potentially untrusted targets. This flaw leads to the exposure of sensitive information to an unauthorized actor.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "node-fetch: exposure of sensitive information to an unauthorized actor",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw is out of support scope for dotnet-5.0. For more information about Dotnet product support scope, please see https://access.redhat.com/support/policy/updates/net-core",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-0235"
        },
        {
          "category": "external",
          "summary": "RHBZ#2044591",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044591"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-0235",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-0235"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235"
        },
        {
          "category": "external",
          "summary": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/",
          "url": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/"
        }
      ],
      "release_date": "2022-01-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "node-fetch: exposure of sensitive information to an unauthorized actor"
    },
    {
      "cve": "CVE-2022-23647",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2022-02-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2056643"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Cross-site scripting attack was found in Prism. The command-line plugin did not properly escape its output. This issue leads to the input text being inserted into the Document Object Model (DOM) as HTML code, which can be exploited by an attacker.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "prismjs: improperly escaped output allows a XSS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects Prism as shipped with all versions of Red Hat Ceph Storage, Red Hat Migration Toolkit for Virtualization, Red Hat OpenShift Container Platform, Red Hat OpenShift Service Mesh, Red Hat Advanced Cluster Security, and Red Hat Gluster Storage. However, this flaw is not known to be exploitable under any supported scenario, as websites that do not use the Command Line plugin are also not impacted. The above products do not use the Command Line plugin, thus, are marked not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-23647"
        },
        {
          "category": "external",
          "summary": "RHBZ#2056643",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2056643"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23647",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-23647"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23647",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23647"
        },
        {
          "category": "external",
          "summary": "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99",
          "url": "https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99"
        }
      ],
      "release_date": "2022-02-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "prismjs: improperly escaped output allows a XSS"
    },
    {
      "cve": "CVE-2022-24823",
      "cwe": {
        "id": "CWE-379",
        "name": "Creation of Temporary File in Directory with Insecure Permissions"
      },
      "discovery_date": "2022-05-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2087186"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: world readable temporary file containing sensitive data",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24823"
        },
        {
          "category": "external",
          "summary": "RHBZ#2087186",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087186"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24823",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24823"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823"
        }
      ],
      "release_date": "2022-05-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        },
        {
          "category": "workaround",
          "details": "As a workaround, specify one\u0027s own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: world readable temporary file containing sensitive data"
    },
    {
      "cve": "CVE-2022-25857",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2022-09-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2126789"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-25857"
        },
        {
          "category": "external",
          "summary": "RHBZ#2126789",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
        },
        {
          "category": "external",
          "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
        }
      ],
      "release_date": "2022-08-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
    },
    {
      "cve": "CVE-2022-38749",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2022-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2129706"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-38749"
        },
        {
          "category": "external",
          "summary": "RHBZ#2129706",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
        }
      ],
      "release_date": "2022-09-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
    },
    {
      "cve": "CVE-2022-38750",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2022-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2129707"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-38750"
        },
        {
          "category": "external",
          "summary": "RHBZ#2129707",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
        }
      ],
      "release_date": "2022-09-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
    },
    {
      "cve": "CVE-2022-38751",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2022-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2129709"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-38751"
        },
        {
          "category": "external",
          "summary": "RHBZ#2129709",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
        }
      ],
      "release_date": "2022-09-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
    },
    {
      "cve": "CVE-2022-38752",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2022-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2129710"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Data Grid 8.4.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-38752"
        },
        {
          "category": "external",
          "summary": "RHBZ#2129710",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38752",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752"
        }
      ],
      "release_date": "2022-09-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-17T13:40:01+00:00",
          "details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.0 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.0 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.0, refer to the 8.4.0 Release Notes[\u00b3]",
          "product_ids": [
            "Red Hat Data Grid 8.4.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:8524"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Data Grid 8.4.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.