var-202107-1555
Vulnerability from variot
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Compress Contains an unspecified vulnerability.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update Advisory ID: RHSA-2022:5555-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2022:5555 Issue date: 2022-07-14 CVE Names: CVE-2021-3807 CVE-2021-33623 CVE-2021-35515 CVE-2021-35516 CVE-2021-35517 CVE-2021-36090 CVE-2022-22950 CVE-2022-31051 ==================================================================== 1. Summary:
Updated ovirt-engine packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch
- Description:
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
A list of bugs fixed in this update is available in the Technical Notes book: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/2974891
- Bugs fixed (https://bugzilla.redhat.com/):
1663217 - [RFE] Add RHV VM name to the matching between Satellite's content host to RHV (currently only VM FQDN is used) 1782077 - [RFE] More Flexible RHV CPU Allocation Policy with HyperThreading 1849045 - Differences between apidoc and REST API documentation about exporting VMs and templates to OVA 1852308 - Snapshot fails to create with 'Invalid parameter: 'capacity73741824'' Exception 1958032 - Live Storage Migration fails because replication filled the destination volume before extension. 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1976607 - Deprecate QXL 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive 1994144 - [RHV 4.4.6] Mail recipient is not updated while configuring Event Notifications 2001574 - Memory usage on Windows client browser while using move or copy disk operations on Admin web 2001923 - NPE during RemoveSnapshotSingleDisk command 2006625 - Engine generates VDS_HIGH_MEM_USE events for empty hosts that have most memory reserved by huge pages 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2030293 - VM in locked state forever if manager is rebooted while exporting VM as OVA 2068270 - RHV-M Admin Portal gives '500 - Internal Server Error" with command_entities in EXECUTION_FAILED status 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2070045 - UploadStreamVDSCommand fails with java.net.SocketTimeoutException after 20 seconds 2072626 - RHV-M generates SNMPv3 trap with msgAuthoritativeEngineBoots: 0 despite multiple engine restarts 2081241 - VFIO_MAP_DMA failed: Cannot allocate memory -12 (VM with GPU passthrough, Q35 machine and 16 vcpus) 2081559 - [RFE] discrepancy tool should detect preallocated cow images that were reduced 2089856 - [TestOnly] Bug 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied 2092885 - Please say "SP1" on the landing page 2093795 - Upgrade ovirt-log-collector to 4.4.6 2097414 - CVE-2022-31051 semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding 2099650 - Upgrade to latest version failed due to failed database schema refresh 2105296 - cannot live migrate vm from rhv-h 4.4.10 to 4.50 (4.4.11)
- Package List:
RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:
Source: apache-commons-compress-1.21-1.2.el8ev.src.rpm ovirt-dependencies-4.5.2-1.el8ev.src.rpm ovirt-engine-4.5.1.2-0.11.el8ev.src.rpm ovirt-engine-dwh-4.5.3-1.el8ev.src.rpm ovirt-engine-ui-extensions-1.3.4-1.el8ev.src.rpm ovirt-log-collector-4.4.6-1.el8ev.src.rpm ovirt-web-ui-1.9.0-1.el8ev.src.rpm postgresql-jdbc-42.2.14-1.el8ev.src.rpm rhv-log-collector-analyzer-1.0.14-1.el8ev.src.rpm rhvm-branding-rhv-4.5.0-1.el8ev.src.rpm
noarch: apache-commons-compress-1.21-1.2.el8ev.noarch.rpm apache-commons-compress-javadoc-1.21-1.2.el8ev.noarch.rpm ovirt-dependencies-4.5.2-1.el8ev.noarch.rpm ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-backend-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-dbscripts-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-dwh-4.5.3-1.el8ev.noarch.rpm ovirt-engine-dwh-grafana-integration-setup-4.5.3-1.el8ev.noarch.rpm ovirt-engine-dwh-setup-4.5.3-1.el8ev.noarch.rpm ovirt-engine-health-check-bundler-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-restapi-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-base-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-cinderlib-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-imageio-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-ovirt-engine-common-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-setup-plugin-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-tools-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-tools-backup-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-ui-extensions-1.3.4-1.el8ev.noarch.rpm ovirt-engine-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-webadmin-portal-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-engine-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm ovirt-log-collector-4.4.6-1.el8ev.noarch.rpm ovirt-web-ui-1.9.0-1.el8ev.noarch.rpm postgresql-jdbc-42.2.14-1.el8ev.noarch.rpm postgresql-jdbc-javadoc-42.2.14-1.el8ev.noarch.rpm python3-ovirt-engine-lib-4.5.1.2-0.11.el8ev.noarch.rpm rhv-log-collector-analyzer-1.0.14-1.el8ev.noarch.rpm rhvm-4.5.1.2-0.11.el8ev.noarch.rpm rhvm-branding-rhv-4.5.0-1.el8ev.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-33623 https://access.redhat.com/security/cve/CVE-2021-35515 https://access.redhat.com/security/cve/CVE-2021-35516 https://access.redhat.com/security/cve/CVE-2021-35517 https://access.redhat.com/security/cve/CVE-2021-36090 https://access.redhat.com/security/cve/CVE-2022-22950 https://access.redhat.com/security/cve/CVE-2022-31051 https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYuFkB9zjgjWX9erEAQhJEQ//eXBYq/X5gI7umxdyGiiBdWtu+p7OuQ65 fGKy0dmJSIB5IzbmSxekBwRn23cSbFtRQxm25RbE+AwxD7a57pPJXJy3Wjvz+MKl wGJADj6Ia+4APGc4D63vkFZb7e9beUX4ehIswzADD+eYdT6hSoxzeFCSoNVS52ih gjqZvAb5HoDHiqO5EZPyhnb29xwMVO4obMQlpVe4BcPBjIS4CkW9Uh7x4YB9/778 hGYqgzquGa1TEqChw8Hhy8TSmA3g5b66ywsxNrllHDgTN/hG8iEcWw3V+e23Ubbi zb8rpu1Lm/36RYMyYwUiLg/F8ePbNnIdb1bllFDAUq9M7lH5hs77KDPj00Ff7+xh nwOgG5ktIMP/7KNsKUxPf/W94Yi6R9pZH3J2PXV2YjpDd8L6LNXGK5q5A3yjGksr tXZmQ2+jckXeel1vDvJ3qlkfHHNS1gvcQvNWci5EBOoeqEKQUTJZJQoucTbrhp2M 8502HAzHGRinjVnLizT/6JnEuGvHVwy8O8yx/D2UEEz7FsCDxPG0bBb+8Iy+6ZZb /EcTamIUpmyxEZ9AdQxW++GoaGWckYaMEVjcIbWvExP1kAlWY2E5uuaizlrLh116 fonyYo2esLh8mFN8OmcZhPDwJGuzlFL+mhOn6OQi8/ZmfkHPItSWVv772vKA1zlT yetpCCo5iV4=Muhw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Summary:
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Description:
This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
-
fastjson (CVE-2022-25845)
-
jackson-databind (CVE-2020-36518)
-
mysql-connector-java (CVE-2021-2471, CVE-2022-21363)
-
undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)
-
wildfly-elytron (CVE-2021-3642)
-
nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)
-
3 qt (CVE-2021-3859)
-
kubernetes-client (CVE-2021-4178)
-
spring-security (CVE-2021-22119)
-
protobuf-java (CVE-2021-22569)
-
google-oauth-client (CVE-2021-22573)
-
XStream (CVE-2021-29505, CVE-2021-43859)
-
jdom (CVE-2021-33813, CVE-2021-33813)
-
apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
-
Kafka (CVE-2021-38153)
-
xml-security (CVE-2021-40690)
-
logback (CVE-2021-42550)
-
netty (CVE-2021-43797)
-
xnio (CVE-2022-0084)
-
jdbc-postgresql (CVE-2022-21724)
-
spring-expression (CVE-2022-22950)
-
springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096, CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)
-
h2 (CVE-2022-23221)
-
junrar (CVE-2022-23596)
-
artemis-commons (CVE-2022-23913)
-
elasticsearch (CVE-2020-7020)
-
tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122, CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340, CVE-2022-23181)
-
junit4 (CVE-2020-15250)
-
wildfly-core (CVE-2020-25689, CVE-2021-3644)
-
kotlin (CVE-2020-29582)
-
karaf (CVE-2021-41766, CVE-2022-22932)
-
Spring Framework (CVE-2022-22968)
-
metadata-extractor (CVE-2022-24614)
-
poi-scratchpad (CVE-2022-26336)
-
postgresql-jdbc (CVE-2022-26520)
-
tika-core (CVE-2022-30126)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/
- Bugs fixed (https://bugzilla.redhat.com/):
1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller 1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure 1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2046279 - CVE-2022-22932 karaf: path traversal flaws 2046282 - CVE-2021-41766 karaf: insecure java deserialization 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting 2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part 2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization
5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202107-1555", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "communications cloud native core automated test suite", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.8.0" }, { "model": "financial services enterprise case management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "*" }, { "model": "communications element manager", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.2.0" }, { "model": "banking treasury management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5" }, { "model": "communications billing and revenue management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.0.0.4" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "18.8.0" }, { "model": "primavera unifier", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "17.12" }, { "model": "communications session route manager", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.0.0" }, { "model": "banking platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "2.12.0" }, { "model": "communications unified inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "7.4.1" }, { "model": "financial services enterprise case management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.0.7.2.0" }, { "model": "insurance policy administration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "11.0.2" }, { "model": "communications diameter intelligence hub", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.3" }, { "model": "communications session route manager", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.5.0" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "19.12.0" }, { "model": "communications session report manager", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.2.0" }, { "model": "active iq unified manager", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "oncommand insight", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "banking digital experience", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "21.1" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "18.8.12" }, { "model": "webcenter portal", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.4.0" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "17.12.11" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "19.12.11" }, { "model": "banking digital experience", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "20.1" }, { "model": "banking apis", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "20.1" }, { "model": "banking platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "2.6.2" }, { "model": "primavera unifier", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "20.12" }, { "model": "banking apis", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "18.3" }, { "model": "banking platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "2.9.0" }, { "model": "peoplesoft enterprise peopletools", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.58" }, { "model": "communications diameter intelligence hub", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.2.3" }, { "model": "communications cloud native core service communication proxy", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.14.0" }, { "model": "commons compress", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "1.21" }, { "model": "communications unified inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "7.4.2" }, { "model": "communications session report manager", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.5.0" }, { "model": "financial services analytical applications infrastructure", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.1.1" }, { "model": "peoplesoft enterprise peopletools", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.59" }, { "model": "banking apis", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.1" }, { "model": "banking apis", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "18.1" }, { "model": "webcenter portal", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.3.0" }, { "model": "financial services enterprise case management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.0.8.1.0" }, { "model": "banking party management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "2.7.0" }, { "model": "insurance policy administration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "11.3.1" }, { "model": "healthcare data repository", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.1.0" }, { "model": "flexcube universal banking", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "14.0.0" }, { "model": "banking enterprise default management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "2.7.0" }, { "model": "business process management suite", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.4.0" }, { "model": "communications cloud native core unified data repository", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.14.0" }, { "model": "banking payments", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5" }, { "model": "utilities testing accelerator", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "6.0.0.1.1" }, { "model": "insurance policy administration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "11.2.8" }, { "model": "communications element manager", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.4.0" }, { "model": "primavera unifier", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "17.7" }, { "model": "banking digital experience", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.2" }, { "model": "banking apis", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.2" }, { "model": "banking apis", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "21.1" }, { "model": "financial services crime and compliance management studio", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.0.8.3.0" }, { "model": "business process management suite", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.3.0" }, { "model": "insurance policy administration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "11.3.0" }, { "model": "communications messaging server", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.1" }, { "model": "financial services crime and compliance management studio", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.0.8.2.0" }, { "model": "peoplesoft enterprise peopletools", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.57" }, { "model": "communications unified inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "7.4.0" }, { "model": "banking platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "2.7.1" }, { "model": "commerce guided search", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "11.3.2" }, { "model": "communications unified inventory management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "7.5.0" }, { "model": "insurance policy administration", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "11.1.0" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "17.12.0" }, { "model": "flexcube universal banking", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.4" }, { "model": "flexcube universal banking", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5" }, { "model": "banking digital experience", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "18.3" }, { "model": "utilities testing accelerator", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "6.0.0.3.1" }, { "model": "primavera gateway", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "20.12.7" }, { "model": "banking trade finance", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "14.5" }, { "model": "primavera gateway", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "20.12.0" }, { "model": "financial services analytical applications infrastructure", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.0.6" }, { "model": "banking digital experience", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.1" }, { "model": "primavera unifier", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "18.8" }, { "model": "flexcube universal banking", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "14.3.0" }, { "model": "utilities testing accelerator", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "6.0.0.2.2" }, { "model": "banking digital experience", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "18.1" }, { "model": "primavera unifier", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19.12" }, { "model": "communications diameter intelligence hub", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.0.0" }, { "model": "commons compress", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "1.0" }, { "model": "oracle banking party management", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null }, { "model": "hitachi automation director", "scope": null, "trust": 0.8, "vendor": "\u65e5\u7acb", "version": null }, { "model": "hitachi ops center automator", "scope": null, "trust": 0.8, "vendor": "\u65e5\u7acb", "version": null }, { "model": "oracle banking platform", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null }, { "model": "oracle banking enterprise default management", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null }, { "model": "commons compress", "scope": null, "trust": 0.8, "vendor": "apache", "version": null }, { "model": "oracle banking apis", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null }, { "model": "oracle banking digital experience", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "NVD", "id": "CVE-2021-36090" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "167815" }, { "db": "PACKETSTORM", "id": "167841" } ], "trust": 0.2 }, "cve": "CVE-2021-36090", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "nvd@nist.gov", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CVE-2021-36090", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 1.9, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "VHN-396451", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "nvd@nist.gov", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "id": "CVE-2021-36090", "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2021-36090", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "nvd@nist.gov", "id": "CVE-2021-36090", "trust": 1.0, "value": "HIGH" }, { "author": "NVD", "id": "CVE-2021-36090", "trust": 0.8, "value": "High" }, { "author": "CNNVD", "id": "CNNVD-202104-975", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202107-899", "trust": 0.6, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-396451", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-36090", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-396451" }, { "db": "VULMON", "id": "CVE-2021-36090" }, { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-899" }, { "db": "NVD", "id": "CVE-2021-36090" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 zip package. Compress Contains an unspecified vulnerability.Denial of service (DoS) It may be put into a state. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update\nAdvisory ID: RHSA-2022:5555-01\nProduct: Red Hat Virtualization\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:5555\nIssue date: 2022-07-14\nCVE Names: CVE-2021-3807 CVE-2021-33623 CVE-2021-35515\n CVE-2021-35516 CVE-2021-35517 CVE-2021-36090\n CVE-2022-22950 CVE-2022-31051\n====================================================================\n1. Summary:\n\nUpdated ovirt-engine packages that fix several bugs and add various\nenhancements are now available. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch\n\n3. Description:\n\nThe ovirt-engine package provides the Red Hat Virtualization Manager, a\ncentralized management platform that allows system administrators to view\nand manage virtual machines. The Manager provides a comprehensive range of\nfeatures including search capabilities, resource management, live\nmigrations, and virtual infrastructure provisioning. \n\nA list of bugs fixed in this update is available in the Technical Notes\nbook:\nhttps://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/2974891\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1663217 - [RFE] Add RHV VM name to the matching between Satellite\u0027s content host to RHV (currently only VM FQDN is used)\n1782077 - [RFE] More Flexible RHV CPU Allocation Policy with HyperThreading\n1849045 - Differences between apidoc and REST API documentation about exporting VMs and templates to OVA\n1852308 - Snapshot fails to create with \u0027Invalid parameter: \u0027capacity\u001073741824\u0027\u0027 Exception\n1958032 - Live Storage Migration fails because replication filled the destination volume before extension. \n1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method\n1976607 - Deprecate QXL\n1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive\n1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive\n1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive\n1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive\n1994144 - [RHV 4.4.6] Mail recipient is not updated while configuring Event Notifications\n2001574 - Memory usage on Windows client browser while using move or copy disk operations on Admin web\n2001923 - NPE during RemoveSnapshotSingleDisk command\n2006625 - Engine generates VDS_HIGH_MEM_USE events for empty hosts that have most memory reserved by huge pages\n2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes\n2030293 - VM in locked state forever if manager is rebooted while exporting VM as OVA\n2068270 - RHV-M Admin Portal gives \u0027500 - Internal Server Error\" with command_entities in EXECUTION_FAILED status\n2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression\n2070045 - UploadStreamVDSCommand fails with java.net.SocketTimeoutException after 20 seconds\n2072626 - RHV-M generates SNMPv3 trap with msgAuthoritativeEngineBoots: 0 despite multiple engine restarts\n2081241 - VFIO_MAP_DMA failed: Cannot allocate memory -12 (VM with GPU passthrough, Q35 machine and 16 vcpus)\n2081559 - [RFE] discrepancy tool should detect preallocated cow images that were reduced\n2089856 - [TestOnly] Bug 2015796 - [RFE] RHV Manager should support running on a host with DISA STIG security profile applied\n2092885 - Please say \"SP1\" on the landing page\n2093795 - Upgrade ovirt-log-collector to 4.4.6\n2097414 - CVE-2022-31051 semantic-release: Masked secrets can be disclosed if they contain characters that are excluded from uri encoding\n2099650 - Upgrade to latest version failed due to failed database schema refresh\n2105296 - cannot live migrate vm from rhv-h 4.4.10 to 4.50 (4.4.11)\n\n6. Package List:\n\nRHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:\n\nSource:\napache-commons-compress-1.21-1.2.el8ev.src.rpm\novirt-dependencies-4.5.2-1.el8ev.src.rpm\novirt-engine-4.5.1.2-0.11.el8ev.src.rpm\novirt-engine-dwh-4.5.3-1.el8ev.src.rpm\novirt-engine-ui-extensions-1.3.4-1.el8ev.src.rpm\novirt-log-collector-4.4.6-1.el8ev.src.rpm\novirt-web-ui-1.9.0-1.el8ev.src.rpm\npostgresql-jdbc-42.2.14-1.el8ev.src.rpm\nrhv-log-collector-analyzer-1.0.14-1.el8ev.src.rpm\nrhvm-branding-rhv-4.5.0-1.el8ev.src.rpm\n\nnoarch:\napache-commons-compress-1.21-1.2.el8ev.noarch.rpm\napache-commons-compress-javadoc-1.21-1.2.el8ev.noarch.rpm\novirt-dependencies-4.5.2-1.el8ev.noarch.rpm\novirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-backend-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-dbscripts-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-dwh-4.5.3-1.el8ev.noarch.rpm\novirt-engine-dwh-grafana-integration-setup-4.5.3-1.el8ev.noarch.rpm\novirt-engine-dwh-setup-4.5.3-1.el8ev.noarch.rpm\novirt-engine-health-check-bundler-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-restapi-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-base-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-plugin-cinderlib-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-plugin-imageio-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-plugin-ovirt-engine-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-plugin-ovirt-engine-common-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-setup-plugin-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-tools-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-tools-backup-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-ui-extensions-1.3.4-1.el8ev.noarch.rpm\novirt-engine-vmconsole-proxy-helper-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-webadmin-portal-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-engine-websocket-proxy-4.5.1.2-0.11.el8ev.noarch.rpm\novirt-log-collector-4.4.6-1.el8ev.noarch.rpm\novirt-web-ui-1.9.0-1.el8ev.noarch.rpm\npostgresql-jdbc-42.2.14-1.el8ev.noarch.rpm\npostgresql-jdbc-javadoc-42.2.14-1.el8ev.noarch.rpm\npython3-ovirt-engine-lib-4.5.1.2-0.11.el8ev.noarch.rpm\nrhv-log-collector-analyzer-1.0.14-1.el8ev.noarch.rpm\nrhvm-4.5.1.2-0.11.el8ev.noarch.rpm\nrhvm-branding-rhv-4.5.0-1.el8ev.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-3807\nhttps://access.redhat.com/security/cve/CVE-2021-33623\nhttps://access.redhat.com/security/cve/CVE-2021-35515\nhttps://access.redhat.com/security/cve/CVE-2021-35516\nhttps://access.redhat.com/security/cve/CVE-2021-35517\nhttps://access.redhat.com/security/cve/CVE-2021-36090\nhttps://access.redhat.com/security/cve/CVE-2022-22950\nhttps://access.redhat.com/security/cve/CVE-2022-31051\nhttps://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYuFkB9zjgjWX9erEAQhJEQ//eXBYq/X5gI7umxdyGiiBdWtu+p7OuQ65\nfGKy0dmJSIB5IzbmSxekBwRn23cSbFtRQxm25RbE+AwxD7a57pPJXJy3Wjvz+MKl\nwGJADj6Ia+4APGc4D63vkFZb7e9beUX4ehIswzADD+eYdT6hSoxzeFCSoNVS52ih\ngjqZvAb5HoDHiqO5EZPyhnb29xwMVO4obMQlpVe4BcPBjIS4CkW9Uh7x4YB9/778\nhGYqgzquGa1TEqChw8Hhy8TSmA3g5b66ywsxNrllHDgTN/hG8iEcWw3V+e23Ubbi\nzb8rpu1Lm/36RYMyYwUiLg/F8ePbNnIdb1bllFDAUq9M7lH5hs77KDPj00Ff7+xh\nnwOgG5ktIMP/7KNsKUxPf/W94Yi6R9pZH3J2PXV2YjpDd8L6LNXGK5q5A3yjGksr\ntXZmQ2+jckXeel1vDvJ3qlkfHHNS1gvcQvNWci5EBOoeqEKQUTJZJQoucTbrhp2M\n8502HAzHGRinjVnLizT/6JnEuGvHVwy8O8yx/D2UEEz7FsCDxPG0bBb+8Iy+6ZZb\n/EcTamIUpmyxEZ9AdQxW++GoaGWckYaMEVjcIbWvExP1kAlWY2E5uuaizlrLh116\nfonyYo2esLh8mFN8OmcZhPDwJGuzlFL+mhOn6OQi8/ZmfkHPItSWVv772vKA1zlT\nyetpCCo5iV4=Muhw\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Summary:\n\nA minor version update (from 7.10 to 7.11) is now available for Red Hat\nFuse. The purpose of this text-only errata is to inform you about the\nsecurity issues fixed in this release. Description:\n\nThis release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat\nFuse 7.10 and includes bug fixes and enhancements, which are documented in\nthe Release Notes document linked in the References. \n\nSecurity Fix(es):\n\n* fastjson (CVE-2022-25845)\n\n* jackson-databind (CVE-2020-36518)\n\n* mysql-connector-java (CVE-2021-2471, CVE-2022-21363)\n\n* undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)\n\n* wildfly-elytron (CVE-2021-3642)\n\n* nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)\n\n* 3 qt (CVE-2021-3859)\n\n* kubernetes-client (CVE-2021-4178)\n\n* spring-security (CVE-2021-22119)\n\n* protobuf-java (CVE-2021-22569)\n\n* google-oauth-client (CVE-2021-22573)\n\n* XStream (CVE-2021-29505, CVE-2021-43859)\n\n* jdom (CVE-2021-33813, CVE-2021-33813)\n\n* apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517,\nCVE-2021-36090)\n\n* Kafka (CVE-2021-38153)\n\n* xml-security (CVE-2021-40690)\n\n* logback (CVE-2021-42550)\n\n* netty (CVE-2021-43797)\n\n* xnio (CVE-2022-0084)\n\n* jdbc-postgresql (CVE-2022-21724)\n\n* spring-expression (CVE-2022-22950)\n\n* springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096,\nCVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)\n\n* h2 (CVE-2022-23221)\n\n* junrar (CVE-2022-23596)\n\n* artemis-commons (CVE-2022-23913)\n\n* elasticsearch (CVE-2020-7020)\n\n* tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122,\nCVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340,\nCVE-2022-23181)\n\n* junit4 (CVE-2020-15250)\n\n* wildfly-core (CVE-2020-25689, CVE-2021-3644)\n\n* kotlin (CVE-2020-29582)\n\n* karaf (CVE-2021-41766, CVE-2022-22932)\n\n* Spring Framework (CVE-2022-22968)\n\n* metadata-extractor (CVE-2022-24614)\n\n* poi-scratchpad (CVE-2022-26336)\n\n* postgresql-jdbc (CVE-2022-26520)\n\n* tika-core (CVE-2022-30126)\n\nFor more details about the security issues, including the impact, CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nInstallation instructions are available from the Fuse 7.11.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE\n1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure\n1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller\n1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure\n1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system\n1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure\n1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c\n1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)\n1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream\n1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request\n1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression\n1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request\n1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS\n1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer\n1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy\n1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness\n1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive\n1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive\n1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive\n1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive\n2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine\n2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes\n2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients\n2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2\n2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure\n2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS\n2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical\n2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling\n2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file\n2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method\n2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries\n2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data\n2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI\n2046279 - CVE-2022-22932 karaf: path traversal flaws\n2046282 - CVE-2021-41766 karaf: insecure java deserialization\n2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors\n2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability\n2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting\n2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS\n2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes\n2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)\n2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file\n2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception\n2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS\n2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability\n2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr\n2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects\n2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression\n2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)\n2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures\n2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability\n2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified\n2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31\n2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part\n2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket\n2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher\n2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor\n2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization\n\n5", "sources": [ { "db": "NVD", "id": "CVE-2021-36090" }, { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "VULHUB", "id": "VHN-396451" }, { "db": "VULMON", "id": "CVE-2021-36090" }, { "db": "PACKETSTORM", "id": "167815" }, { "db": "PACKETSTORM", "id": "167841" } ], "trust": 2.52 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-36090", "trust": 3.6 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2021/07/13/6", "trust": 1.8 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2021/07/13/4", "trust": 1.8 }, { "db": "PACKETSTORM", "id": "167815", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2021-008210", "trust": 0.8 }, { "db": "CS-HELP", "id": "SB2021041363", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202104-975", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3130", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.2651", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3397", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021120114", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022011911", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072013", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021123007", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021071408", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022032011", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022060703", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022042212", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022011224", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022060812", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021100411", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021080809", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022071701", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012750", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021122809", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022012324", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202107-899", "trust": 0.6 }, { "db": "VULHUB", "id": "VHN-396451", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2021-36090", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "167841", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-396451" }, { "db": "VULMON", "id": "CVE-2021-36090" }, { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "PACKETSTORM", "id": "167815" }, { "db": "PACKETSTORM", "id": "167841" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-899" }, { "db": "NVD", "id": "CVE-2021-36090" } ] }, "id": "VAR-202107-1555", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-396451" } ], "trust": 0.01 }, "last_update_date": "2024-08-14T12:44:02.099000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "hitachi-sec-2022-109 Software product security information", "trust": 0.8, "url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E" }, { "title": "Apache Commons Compress Security vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178518" }, { "title": "Red Hat: CVE-2021-36090", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-36090" }, { "title": "Red Hat: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225555 - Security Advisory" }, { "title": "Debian CVElist Bug Report Logs: libcommons-compress-java: CVE-2021-36090 CVE-2021-35517 CVE-2021-35516 CVE-2021-35515", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=8eed6c5046e41c171ae74a270f231be6" }, { "title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Automation Director and Hitachi Ops Center Automator", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2022-109" }, { "title": "IBM: Security Bulletin: For IBM Cloudpak for Watson AIOPS 3.5.1", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=62046b52173657c354e061b2ffdf9254" }, { "title": "Red Hat: Important: Red Hat Fuse 7.11.0 release and security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225532 - Security Advisory" }, { "title": "", "trust": 0.1, "url": "https://github.com/Ubiquiti-Android-FW/mtk-t0-mp5-aiot-V5.102-platform-external-jazzer-api " } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-36090" }, { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "CNNVD", "id": "CNNVD-202107-899" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-130", "trust": 1.0 }, { "problemtype": "NVD-CWE-Other", "trust": 1.0 }, { "problemtype": "Other (CWE-Other) [NVD Evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "NVD", "id": "CVE-2021-36090" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.4, "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "trust": 2.4, "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "trust": 1.8, "url": "https://security.netapp.com/advisory/ntap-20211022-0001/" }, { "trust": 1.8, "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "trust": 1.8, "url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3cuser.commons.apache.org%3e" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "trust": 1.8, "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "trust": 1.8, "url": "http://www.openwall.com/lists/oss-security/2021/07/13/4" }, { "trust": 1.8, "url": "http://www.openwall.com/lists/oss-security/2021/07/13/6" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3cannounce.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3cdev.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3cissues.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3cdev.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3ccommits.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3cdev.poi.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3cannounce.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3ccommits.druid.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3ccommits.pulsar.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3cnotifications.james.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3cdev.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3ccommits.druid.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3cdev.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3cuser.ant.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3ccommits.druid.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3cissues.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3cissues.drill.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.9, "url": "https://access.redhat.com/security/cve/cve-2021-36090" }, { "trust": 0.9, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-36090" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3cannounce.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3cannounce.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3cuser.ant.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3ccommits.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3cdev.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3cdev.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3cdev.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3cdev.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3cissues.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3cissues.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3cissues.drill.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3ccommits.druid.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3ccommits.druid.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3ccommits.druid.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3cnotifications.james.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3cdev.poi.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3ccommits.pulsar.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3cnotifications.skywalking.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021041363" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021122809" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072013" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021080809" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6501221" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060703" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6507013" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6527136" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6528202" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022011224" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb20220422121" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/167815/red-hat-security-advisory-2022-5555-01.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3397" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021071408" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6509702" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6526070" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6519948" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6514411" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6482503" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6516776" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3130" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021120114" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021123007" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012750" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6498141" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6492617" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6516470" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6524930" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6525722" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/apache-commons-compress-denial-of-service-via-zip-36055" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6489683" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6492217" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060812" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012324" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022032011" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6525250" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022011911" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.2651" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021100411" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022071701" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-3807" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-35517" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-35516" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-22950" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-35515" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/.html" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-33623" }, { "trust": 0.1, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:5555" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-35515" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33623" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-35516" }, { "trust": 0.1, "url": "https://access.redhat.com/articles/2974891" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-22950" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31051" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-35517" }, { "trust": 0.1, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3807" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-31051" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3629" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-29582" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-40690" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-0084" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25122" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-25845" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22060" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22573" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-25122" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-2471" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-26336" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22119" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-24122" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22569" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22970" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.11.0" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-7020" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22119" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23913" }, { "trust": 0.1, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33813" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-21724" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22932" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-30126" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22978" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-33037" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-25329" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42340" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3642" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3859" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-30640" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-4178" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22971" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22096" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41079" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-38153" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-15250" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23181" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36518" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-15250" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43797" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22096" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22976" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22573" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7020" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-22968" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-1319" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-24614" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25689" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-22569" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23596" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-25689" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-24122" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-23221" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-22060" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-21363" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-9484" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-43859" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-26520" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-2471" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-42550" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9484" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41766" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-29505" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-29582" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-36518" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2022-1259" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:5532" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3644" } ], "sources": [ { "db": "VULHUB", "id": "VHN-396451" }, { "db": "VULMON", "id": "CVE-2021-36090" }, { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "PACKETSTORM", "id": "167815" }, { "db": "PACKETSTORM", "id": "167841" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-899" }, { "db": "NVD", "id": "CVE-2021-36090" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-396451" }, { "db": "VULMON", "id": "CVE-2021-36090" }, { "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "db": "PACKETSTORM", "id": "167815" }, { "db": "PACKETSTORM", "id": "167841" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-899" }, { "db": "NVD", "id": "CVE-2021-36090" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-07-13T00:00:00", "db": "VULHUB", "id": "VHN-396451" }, { "date": "2021-07-13T00:00:00", "db": "VULMON", "id": "CVE-2021-36090" }, { "date": "2022-03-08T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "date": "2022-07-27T17:20:03", "db": "PACKETSTORM", "id": "167815" }, { "date": "2022-07-27T17:27:19", "db": "PACKETSTORM", "id": "167841" }, { "date": "2021-04-13T00:00:00", "db": "CNNVD", "id": "CNNVD-202104-975" }, { "date": "2021-07-13T00:00:00", "db": "CNNVD", "id": "CNNVD-202107-899" }, { "date": "2021-07-13T08:15:07.310000", "db": "NVD", "id": "CVE-2021-36090" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2023-02-28T00:00:00", "db": "VULHUB", "id": "VHN-396451" }, { "date": "2023-02-28T00:00:00", "db": "VULMON", "id": "CVE-2021-36090" }, { "date": "2022-03-08T02:38:00", "db": "JVNDB", "id": "JVNDB-2021-008210" }, { "date": "2021-04-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202104-975" }, { "date": "2022-07-28T00:00:00", "db": "CNNVD", "id": "CNNVD-202107-899" }, { "date": "2023-11-07T03:36:42.777000", "db": "NVD", "id": "CVE-2021-36090" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202107-899" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Compress\u00a0 Vulnerability in", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-008210" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "CNNVD", "id": "CNNVD-202107-899" } ], "trust": 1.2 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.