(RHSA-2023:2100) Important: Red Hat Integration Camel for Spring Boot 3.20.1 security update

This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

The purpose of this text-only errata is to inform you about the security issues fixed.

Security Fix(es):

• snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

• JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)

• hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

• xstream: Denial of Service by injecting recursive collections or maps based on element’s hash values raising a stack overflow (CVE-2022-41966)

• springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)

• apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)

• undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

• apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)

• Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)

• apache-ivy: Directory Traversal (CVE-2022-37865)

• : Apache Ivy: Ivy Path traversal (CVE-2022-37866)

• batik: Server-Side Request Forgery (CVE-2022-38398)

• batik: Server-Side Request Forgery (CVE-2022-38648)

• snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

• snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)

• snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)

• snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

• scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)

• batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

• xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)

• woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)

• xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)

• batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)

• dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

• codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

• jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

• jackson-databind: use of deeply nested arrays (CVE-2022-42004)

• batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)

• jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

• springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

• shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)

• Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)

• jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

• springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)

• json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.