Action not permitted
Modal body text goes here.
cve-2024-7254
Vulnerability from cvelistv5
Published
2024-09-19 00:18
Modified
2025-04-19 00:11
Severity ?
EPSS score ?
Summary
Stack overflow in Protocol Buffers Java Lite
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "protobuf",
"vendor": "google",
"versions": [
{
"lessThan": "28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:google:google-protobuf:*:*:*:*:*:ruby:*:*",
"cpe:2.3:a:google:protobuf-java:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-javalite:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-kotlin:*:*:*:*:*:*:*:*",
"cpe:2.3:a:google:protobuf-kotlin-lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "protobuf-kotlin-lite",
"vendor": "google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "4.27",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "4.28",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T14:29:43.468555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T14:46:14.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-19T00:11:07.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241213-0010/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250418-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Protocol Buffers",
"repo": "https://github.com/protocolbuffers/protobuf",
"vendor": "Google",
"versions": [
{
"lessThan": "28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java",
"defaultStatus": "unaffected",
"product": "protobuf-java",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-javalite",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-kotlin",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "protobuf-kotllin-lite",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://rubygems.org/gems/google-protobuf",
"defaultStatus": "unaffected",
"product": "google-protobuf [JRuby Gem]",
"vendor": "Google",
"versions": [
{
"lessThan": "3.25.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.27.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.28.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAny project that parses untrusted Protocol Buffers data\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;containing an arbitrary number of nested \u003c/span\u003e\u003ccode\u003egroup\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es / series of \u003c/span\u003e\u003ccode\u003eSGROUP\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;tags can corrupted by exceeding the stack limit i.e. StackOverflow. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eParsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T00:18:45.824Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stack overflow in Protocol Buffers Java Lite",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2024-7254",
"datePublished": "2024-09-19T00:18:45.824Z",
"dateReserved": "2024-07-29T21:41:56.116Z",
"dateUpdated": "2025-04-19T00:11:07.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-7254\",\"sourceIdentifier\":\"cve-coordination@google.com\",\"published\":\"2024-09-19T01:15:10.963\",\"lastModified\":\"2025-04-19T01:15:44.387\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Any project that parses untrusted Protocol Buffers data\u00a0containing an arbitrary number of nested groups / series of SGROUP\u00a0tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\"},{\"lang\":\"es\",\"value\":\"Cualquier proyecto que analice datos de Protocol Buffers no confiables que contengan una cantidad arbitraria de grupos anidados o series de etiquetas SGROUP puede corromperse si se excede el l\u00edmite de la pila, es decir, StackOverflow. Analizar grupos anidados como campos desconocidos con DiscardUnknownFieldsParser o el analizador Java Protobuf Lite, o contra campos de mapa Protobuf, crea recursiones ilimitadas que pueden ser utilizadas de forma abusiva por un atacante.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa\",\"source\":\"cve-coordination@google.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20241213-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250418-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
ghsa-735f-pc8j-v9w8
Vulnerability from github
Published
2024-09-19 16:06
Modified
2025-04-23 14:35
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
protobuf-java has potential Denial of Service issue
Details
Summary
When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.
Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com
Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Proof of Concept
For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness.
Remediation and Mitigation
We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: * protobuf-java (3.25.5, 4.27.5, 4.28.2) * protobuf-javalite (3.25.5, 4.27.5, 4.28.2) * protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.25.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.rc.1"
},
{
"fixed": "4.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "google-protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "4.28.0.rc.1"
},
{
"fixed": "4.28.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.rc.1"
},
{
"fixed": "4.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin-lite"
},
"ranges": [
{
"events": [
{
"introduced": "4.28.0.rc.1"
},
{
"fixed": "4.28.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.rc.1"
},
{
"fixed": "4.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-kotlin"
},
"ranges": [
{
"events": [
{
"introduced": "4.28.0.rc.1"
},
{
"fixed": "4.28.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.rc.1"
},
{
"fixed": "4.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-javalite"
},
"ranges": [
{
"events": [
{
"introduced": "4.28.0.rc.1"
},
{
"fixed": "4.28.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.rc.1"
},
{
"fixed": "4.27.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.google.protobuf:protobuf-java"
},
"ranges": [
{
"events": [
{
"introduced": "4.28.0.rc.1"
},
{
"fixed": "4.28.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-7254"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-19T16:06:03Z",
"nvd_published_at": "2024-09-19T01:15:10Z",
"severity": "HIGH"
},
"details": "### Summary\nWhen parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e\n\nAffected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n### Severity\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\nThis is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\n\n### Remediation and Mitigation\nWe have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)",
"id": "GHSA-735f-pc8j-v9w8",
"modified": "2025-04-23T14:35:53Z",
"published": "2024-09-19T16:06:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/protocolbuffers/protobuf"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241213-0010"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250418-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "protobuf-java has potential Denial of Service issue"
}
rhsa-2024_11255
Vulnerability from csaf_redhat
Published
2024-12-17 10:22
Modified
2025-03-28 11:00
Summary
Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.2.1
Notes
Topic
Red Hat Trusted Profile Analyzer 1.2.1 release Red Hat Product Security has rated this update as having a security impact of Moderate
Details
Red Hat Trusted Profile Analyzer 1.2.1
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Trusted Profile Analyzer 1.2.1 release Red Hat Product Security has rated this update as having a security impact of Moderate",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Trusted Profile Analyzer 1.2.1",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:11255",
"url": "https://access.redhat.com/errata/RHSA-2024:11255"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1865",
"url": "https://issues.redhat.com/browse/TC-1865"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1873",
"url": "https://issues.redhat.com/browse/TC-1873"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1880",
"url": "https://issues.redhat.com/browse/TC-1880"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1892",
"url": "https://issues.redhat.com/browse/TC-1892"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1928",
"url": "https://issues.redhat.com/browse/TC-1928"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1947",
"url": "https://issues.redhat.com/browse/TC-1947"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1970",
"url": "https://issues.redhat.com/browse/TC-1970"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1868",
"url": "https://issues.redhat.com/browse/TC-1868"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1937",
"url": "https://issues.redhat.com/browse/TC-1937"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1795",
"url": "https://issues.redhat.com/browse/TC-1795"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1824",
"url": "https://issues.redhat.com/browse/TC-1824"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1870",
"url": "https://issues.redhat.com/browse/TC-1870"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2.1/html/release_notes/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2.1/html/release_notes/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-21536",
"url": "https://access.redhat.com/security/cve/CVE-2024-21536"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-21538",
"url": "https://access.redhat.com/security/cve/CVE-2024-21538"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-7254",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_11255.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.2.1",
"tracking": {
"current_release_date": "2025-03-28T11:00:50+00:00",
"generator": {
"date": "2025-03-28T11:00:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2024:11255",
"initial_release_date": "2024-12-17T10:22:51+00:00",
"revision_history": [
{
"date": "2024-12-17T10:22:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-25T10:22:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-28T11:00:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Trusted Profile Analyzer 1.2",
"product": {
"name": "Red Hat Trusted Profile Analyzer 1.2",
"product_id": "Red Hat Trusted Profile Analyzer 1.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Trusted Profile Analyzer"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64",
"product": {
"name": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64",
"product_id": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhtpa-trustification-service-rhel9@sha256%3A8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe?arch=amd64\u0026repository_url=registry.redhat.io/rhtpa\u0026tag=1.2.1-1733826968"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64 as a component of Red Hat Trusted Profile Analyzer 1.2",
"product_id": "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
},
"product_reference": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64",
"relates_to_product_reference": "Red Hat Trusted Profile Analyzer 1.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-7254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-09-19T01:20:29.981665+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2313454"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "RHBZ#2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"release_date": "2024-09-19T01:15:10.963000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-17T10:22:51+00:00",
"details": "It is recommended that existing users of RHTPA 1.2.0 upgrade to 1.2.1. For more information please refer to the Release Notes.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:11255"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
},
{
"cve": "CVE-2024-21536",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-19T06:00:36.846953+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2319884"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-proxy-middleware: Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21536"
},
{
"category": "external",
"summary": "RHBZ#2319884",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319884"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21536",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536"
},
{
"category": "external",
"summary": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a",
"url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5",
"url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22",
"url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906",
"url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"
}
],
"release_date": "2024-10-19T05:00:04.056000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-17T10:22:51+00:00",
"details": "It is recommended that existing users of RHTPA 1.2.0 upgrade to 1.2.1. For more information please refer to the Release Notes.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:11255"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have any mitigation recommendations at this time.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-proxy-middleware: Denial of Service"
},
{
"cve": "CVE-2024-21538",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2024-11-08T13:44:29.182678+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2324550"
}
],
"notes": [
{
"category": "description",
"text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cross-spawn: regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21538"
},
{
"category": "external",
"summary": "RHBZ#2324550",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324550"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538"
},
{
"category": "external",
"summary": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"
},
{
"category": "external",
"summary": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"
},
{
"category": "external",
"summary": "https://github.com/moxystudio/node-cross-spawn/pull/160",
"url": "https://github.com/moxystudio/node-cross-spawn/pull/160"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230",
"url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"
}
],
"release_date": "2024-11-08T05:00:04.695000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-17T10:22:51+00:00",
"details": "It is recommended that existing users of RHTPA 1.2.0 upgrade to 1.2.1. For more information please refer to the Release Notes.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:11255"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9@sha256:8c6e51e26ca9a1d4d4fc9e90650103e60360cf0571533c56fbd08dac3007efbe_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "cross-spawn: regular expression denial of service"
}
]
}
rhsa-2024_11256
Vulnerability from csaf_redhat
Published
2024-12-17 11:08
Modified
2025-03-28 11:01
Summary
Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.2.1
Notes
Topic
Red Hat Trusted Profile Analyzer 1.2.1 release Red Hat Product Security has rated this update as having a security impact of Moderate
Details
Red Hat Trusted Profile Analyzer 1.2.1
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Trusted Profile Analyzer 1.2.1 release Red Hat Product Security has rated this update as having a security impact of Moderate",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Trusted Profile Analyzer 1.2.1",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:11256",
"url": "https://access.redhat.com/errata/RHSA-2024:11256"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1865",
"url": "https://issues.redhat.com/browse/TC-1865"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1873",
"url": "https://issues.redhat.com/browse/TC-1873"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1880",
"url": "https://issues.redhat.com/browse/TC-1880"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1892",
"url": "https://issues.redhat.com/browse/TC-1892"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1928",
"url": "https://issues.redhat.com/browse/TC-1928"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1947",
"url": "https://issues.redhat.com/browse/TC-1947"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1970",
"url": "https://issues.redhat.com/browse/TC-1970"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1868",
"url": "https://issues.redhat.com/browse/TC-1868"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1937",
"url": "https://issues.redhat.com/browse/TC-1937"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1795",
"url": "https://issues.redhat.com/browse/TC-1795"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1824",
"url": "https://issues.redhat.com/browse/TC-1824"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/TC-1870",
"url": "https://issues.redhat.com/browse/TC-1870"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2.1/html/release_notes/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_trusted_profile_analyzer/1.2.1/html/release_notes/index"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-21536",
"url": "https://access.redhat.com/security/cve/CVE-2024-21536"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-21538",
"url": "https://access.redhat.com/security/cve/CVE-2024-21538"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-7254",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_11256.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Trusted Profile Analyzer 1.2.1",
"tracking": {
"current_release_date": "2025-03-28T11:01:02+00:00",
"generator": {
"date": "2025-03-28T11:01:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2024:11256",
"initial_release_date": "2024-12-17T11:08:00+00:00",
"revision_history": [
{
"date": "2024-12-17T11:08:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-03-25T11:08:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-28T11:01:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Trusted Profile Analyzer 1.2",
"product": {
"name": "Red Hat Trusted Profile Analyzer 1.2",
"product_id": "Red Hat Trusted Profile Analyzer 1.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Trusted Profile Analyzer"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64",
"product": {
"name": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64",
"product_id": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhtpa-guac-rhel9@sha256%3A9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30?arch=amd64\u0026repository_url=registry.redhat.io/rhtpa\u0026tag=1.2.1-1733575106"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64 as a component of Red Hat Trusted Profile Analyzer 1.2",
"product_id": "Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
},
"product_reference": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64",
"relates_to_product_reference": "Red Hat Trusted Profile Analyzer 1.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-7254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-09-19T01:20:29.981665+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2313454"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "RHBZ#2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"release_date": "2024-09-19T01:15:10.963000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-17T11:08:00+00:00",
"details": "It is recommended that existing users of RHTPA 1.2.0 upgrade to 1.2.1. For more information please refer to the Release Notes.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:11256"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
},
{
"cve": "CVE-2024-21536",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-19T06:00:36.846953+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2319884"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http-proxy-middleware: Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21536"
},
{
"category": "external",
"summary": "RHBZ#2319884",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319884"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21536",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21536"
},
{
"category": "external",
"summary": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a",
"url": "https://gist.github.com/mhassan1/28be67266d82a53708ed59ce5dc3c94a"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5",
"url": "https://github.com/chimurai/http-proxy-middleware/commit/0b4274e8cc9e9a2c5a06f35fbf456ccfcebc55a5"
},
{
"category": "external",
"summary": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22",
"url": "https://github.com/chimurai/http-proxy-middleware/commit/788b21e4aff38332d6319557d4a5b1b13b1f9a22"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906",
"url": "https://security.snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906"
}
],
"release_date": "2024-10-19T05:00:04.056000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-17T11:08:00+00:00",
"details": "It is recommended that existing users of RHTPA 1.2.0 upgrade to 1.2.1. For more information please refer to the Release Notes.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:11256"
},
{
"category": "workaround",
"details": "Red Hat Product Security does not have any mitigation recommendations at this time.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http-proxy-middleware: Denial of Service"
},
{
"cve": "CVE-2024-21538",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"discovery_date": "2024-11-08T13:44:29.182678+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2324550"
}
],
"notes": [
{
"category": "description",
"text": "A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cross-spawn: regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21538"
},
{
"category": "external",
"summary": "RHBZ#2324550",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324550"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538"
},
{
"category": "external",
"summary": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"
},
{
"category": "external",
"summary": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"
},
{
"category": "external",
"summary": "https://github.com/moxystudio/node-cross-spawn/pull/160",
"url": "https://github.com/moxystudio/node-cross-spawn/pull/160"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230",
"url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"
}
],
"release_date": "2024-11-08T05:00:04.695000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-17T11:08:00+00:00",
"details": "It is recommended that existing users of RHTPA 1.2.0 upgrade to 1.2.1. For more information please refer to the Release Notes.",
"product_ids": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:11256"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Trusted Profile Analyzer 1.2:registry.redhat.io/rhtpa/rhtpa-guac-rhel9@sha256:9cc0e1374aa5e6ff8caf86d9bbd6f9c2dfa14d812ad99ae653a2fbb8ec124f30_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "cross-spawn: regular expression denial of service"
}
]
}
rhsa-2024_7972
Vulnerability from csaf_redhat
Published
2024-10-10 14:00
Modified
2025-03-28 11:00
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of Critical.
Details
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
* CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE)
* CVE-2024-7254 com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\nRed Hat Product Security has rated this update as having a security impact of Critical.",
"title": "Topic"
},
{
"category": "general",
"text": "An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE)\n* CVE-2024-7254 com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:7972",
"url": "https://access.redhat.com/errata/RHSA-2024:7972"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "2316116",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7972.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1)",
"tracking": {
"current_release_date": "2025-03-28T11:00:04+00:00",
"generator": {
"date": "2025-03-28T11:00:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2024:7972",
"initial_release_date": "2024-10-10T14:00:25+00:00",
"revision_history": [
{
"date": "2024-10-10T14:00:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-10T14:00:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-28T11:00:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Apache Camel 4 for Quarkus 3",
"product": {
"name": "Red Hat build of Apache Camel 4 for Quarkus 3",
"product_id": "Red Hat build of Apache Camel 4 for Quarkus 3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:camel_quarkus:3.8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Build of Apache Camel"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-7254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-09-19T01:20:29.981665+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2313454"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "RHBZ#2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"release_date": "2024-09-19T01:15:10.963000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T14:00:25+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7972"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
},
{
"cve": "CVE-2024-47561",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2024-10-02T14:04:06.018000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2316116"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47561"
},
{
"category": "external",
"summary": "RHBZ#2316116",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561"
}
],
"release_date": "2024-10-03T12:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T14:00:25+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7972"
},
{
"category": "workaround",
"details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.",
"product_ids": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Apache Camel 4 for Quarkus 3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)"
}
]
}
rhsa-2024_7676
Vulnerability from csaf_redhat
Published
2024-10-10 13:43
Modified
2025-03-28 10:59
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12.SP1 Security Update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability. For
more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.2.12.SP1 contains security updates. For more information, see the release notes
page listed in the References section.
Security Fix(es):
* com.google.protobuf/protobuf: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)
* org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)
* com.graphql-java.graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java (CVE-2024-40094)
* org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) (CVE-2024-47561)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus. \nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability. For\nmore information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.2.12.SP1 contains security updates. For more information, see the release notes\npage listed in the References section.\n\nSecurity Fix(es):\n\n* com.google.protobuf/protobuf: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)\n\n* org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)\n\n* com.graphql-java.graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java (CVE-2024-40094)\n\n* org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) (CVE-2024-47561)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:7676",
"url": "https://access.redhat.com/errata/RHSA-2024:7676"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7676.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.2.12.SP1 Security Update",
"tracking": {
"current_release_date": "2025-03-28T10:59:52+00:00",
"generator": {
"date": "2025-03-28T10:59:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2024:7676",
"initial_release_date": "2024-10-10T13:43:59+00:00",
"revision_history": [
{
"date": "2024-10-10T13:43:59+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-10T13:43:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-28T10:59:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.2",
"product": {
"name": "Red Hat build of Quarkus 3.2",
"product_id": "Red Hat build of Quarkus 3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44549",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2024-10-01T01:34:34.576000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315808"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Sling Commons Messaging Mail(angus-mail), which provides a simple interface for sending emails via SMTPS in OSGi, does not offer an option to enable server identity checks, leaving connections vulnerable to \"man-in-the-middle\" attacks and can allow insecure email communication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability should be considered of important severity rather than moderate because it directly impacts the integrity and confidentiality of email communications over SMTPS. By disabling server identity checks, it leaves the communication channel vulnerable to \"man-in-the-middle\" (MITM) attacks, where an attacker could intercept, alter, or eavesdrop on email traffic by impersonating the legitimate mail server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44549"
},
{
"category": "external",
"summary": "RHBZ#2315808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44549",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549"
}
],
"release_date": "2023-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T13:43:59+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7676"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication"
},
{
"cve": "CVE-2024-7254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-09-19T01:20:29.981665+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2313454"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "RHBZ#2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"release_date": "2024-09-19T01:15:10.963000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T13:43:59+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7676"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
},
{
"cve": "CVE-2024-40094",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-07-30T07:20:08+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2301456"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in GraphQL Java, affecting versions prior to 21.5. This flaw allows an attacker to perform a denial of service (DoS) attack via introspection queries. The issue arises due to the improper handling of ExecutableNormalizedFields (ENFs), which are not adequately considered during the introspection query process. This issue could lead to resource exhaustion and service disruption under certain conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-40094"
},
{
"category": "external",
"summary": "RHBZ#2301456",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301456"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-40094",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40094"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-40094",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40094"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a",
"url": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/discussions/3641",
"url": "https://github.com/graphql-java/graphql-java/discussions/3641"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/pull/3539",
"url": "https://github.com/graphql-java/graphql-java/pull/3539"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11",
"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9",
"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5",
"url": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5"
}
],
"release_date": "2024-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T13:43:59+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7676"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java"
},
{
"cve": "CVE-2024-47561",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2024-10-02T14:04:06.018000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2316116"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47561"
},
{
"category": "external",
"summary": "RHBZ#2316116",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561"
}
],
"release_date": "2024-10-03T12:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T13:43:59+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7676"
},
{
"category": "workaround",
"details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.",
"product_ids": [
"Red Hat build of Quarkus 3.2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)"
}
]
}
rhsa-2024_9571
Vulnerability from csaf_redhat
Published
2024-11-13 16:21
Modified
2025-03-28 11:01
Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update
Notes
Topic
Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat
AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2]
"(CVE-2024-8184)"
* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)"
* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)"
* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)"
"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)"
* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:9571",
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2272907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
},
{
"category": "external",
"summary": "2308606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
},
{
"category": "external",
"summary": "2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "2316271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
},
{
"category": "external",
"summary": "2318564",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
},
{
"category": "external",
"summary": "2318565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
},
{
"category": "external",
"summary": "ASUI-91",
"url": "https://issues.redhat.com/browse/ASUI-91"
},
{
"category": "external",
"summary": "ENTMQST-2632",
"url": "https://issues.redhat.com/browse/ENTMQST-2632"
},
{
"category": "external",
"summary": "ENTMQST-3288",
"url": "https://issues.redhat.com/browse/ENTMQST-3288"
},
{
"category": "external",
"summary": "ENTMQST-4019",
"url": "https://issues.redhat.com/browse/ENTMQST-4019"
},
{
"category": "external",
"summary": "ENTMQST-5199",
"url": "https://issues.redhat.com/browse/ENTMQST-5199"
},
{
"category": "external",
"summary": "ENTMQST-5669",
"url": "https://issues.redhat.com/browse/ENTMQST-5669"
},
{
"category": "external",
"summary": "ENTMQST-5674",
"url": "https://issues.redhat.com/browse/ENTMQST-5674"
},
{
"category": "external",
"summary": "ENTMQST-5740",
"url": "https://issues.redhat.com/browse/ENTMQST-5740"
},
{
"category": "external",
"summary": "ENTMQST-5789",
"url": "https://issues.redhat.com/browse/ENTMQST-5789"
},
{
"category": "external",
"summary": "ENTMQST-5843",
"url": "https://issues.redhat.com/browse/ENTMQST-5843"
},
{
"category": "external",
"summary": "ENTMQST-5850",
"url": "https://issues.redhat.com/browse/ENTMQST-5850"
},
{
"category": "external",
"summary": "ENTMQST-5863",
"url": "https://issues.redhat.com/browse/ENTMQST-5863"
},
{
"category": "external",
"summary": "ENTMQST-5865",
"url": "https://issues.redhat.com/browse/ENTMQST-5865"
},
{
"category": "external",
"summary": "ENTMQST-5915",
"url": "https://issues.redhat.com/browse/ENTMQST-5915"
},
{
"category": "external",
"summary": "ENTMQST-6028",
"url": "https://issues.redhat.com/browse/ENTMQST-6028"
},
{
"category": "external",
"summary": "ENTMQST-6032",
"url": "https://issues.redhat.com/browse/ENTMQST-6032"
},
{
"category": "external",
"summary": "ENTMQST-6129",
"url": "https://issues.redhat.com/browse/ENTMQST-6129"
},
{
"category": "external",
"summary": "ENTMQST-6183",
"url": "https://issues.redhat.com/browse/ENTMQST-6183"
},
{
"category": "external",
"summary": "ENTMQST-6205",
"url": "https://issues.redhat.com/browse/ENTMQST-6205"
},
{
"category": "external",
"summary": "ENTMQST-6225",
"url": "https://issues.redhat.com/browse/ENTMQST-6225"
},
{
"category": "external",
"summary": "ENTMQST-6341",
"url": "https://issues.redhat.com/browse/ENTMQST-6341"
},
{
"category": "external",
"summary": "ENTMQST-6421",
"url": "https://issues.redhat.com/browse/ENTMQST-6421"
},
{
"category": "external",
"summary": "ENTMQST-6422",
"url": "https://issues.redhat.com/browse/ENTMQST-6422"
},
{
"category": "external",
"summary": "ENTMQSTPR-43",
"url": "https://issues.redhat.com/browse/ENTMQSTPR-43"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update",
"tracking": {
"current_release_date": "2025-03-28T11:01:17+00:00",
"generator": {
"date": "2025-03-28T11:01:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2024:9571",
"initial_release_date": "2024-11-13T16:21:03+00:00",
"revision_history": [
{
"date": "2024-11-13T16:21:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-13T16:21:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-28T11:01:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 2.8.0",
"product": {
"name": "Streams for Apache Kafka 2.8.0",
"product_id": "Streams for Apache Kafka 2.8.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:2"
}
}
}
],
"category": "product_family",
"name": "Streams for Apache Kafka"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-7254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-09-19T01:20:29.981665+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2313454"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "RHBZ#2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"release_date": "2024-09-19T01:15:10.963000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T16:21:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
},
{
"cve": "CVE-2024-8184",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-14T16:01:01.239238+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2318564"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-8184"
},
{
"category": "external",
"summary": "RHBZ#2318564",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/pull/11723",
"url": "https://github.com/jetty/jetty.project/pull/11723"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
}
],
"release_date": "2024-10-14T15:09:37.861000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T16:21:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
},
{
"cve": "CVE-2024-8285",
"cwe": {
"id": "CWE-297",
"name": "Improper Validation of Certificate with Host Mismatch"
},
"discovery_date": "2024-08-29T22:39:10.882000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2308606"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kroxylicious: Missing upstream Kafka TLS hostname verification",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat have considered this vulnerability as a \u0027Moderate\u0027 severity given the complexity and the permission level required to perform a successful attacker.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-8285"
},
{
"category": "external",
"summary": "RHBZ#2308606",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-8285",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
}
],
"release_date": "2024-08-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T16:21:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "kroxylicious: Missing upstream Kafka TLS hostname verification"
},
{
"cve": "CVE-2024-9823",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-14T16:01:06.545771+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2318565"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-9823"
},
{
"category": "external",
"summary": "RHBZ#2318565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-9823",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9823"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/issues/1256",
"url": "https://github.com/jetty/jetty.project/issues/1256"
},
{
"category": "external",
"summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
}
],
"release_date": "2024-10-14T15:03:02.293000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T16:21:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter"
},
{
"cve": "CVE-2024-29025",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2272907"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec-http: Allocation of Resources Without Limits or Throttling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29025"
},
{
"category": "external",
"summary": "RHBZ#2272907",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
},
{
"category": "external",
"summary": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3",
"url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c",
"url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v",
"url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"
}
],
"release_date": "2024-03-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T16:21:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec-http: Allocation of Resources Without Limits or Throttling"
},
{
"cve": "CVE-2024-47554",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-10-03T12:00:40.921058+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2316271"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 2.8.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47554"
},
{
"category": "external",
"summary": "RHBZ#2316271",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
"url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
}
],
"release_date": "2024-10-03T11:32:48.936000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-13T16:21:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 2.8.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:9571"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 2.8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
}
]
}
rhsa-2024_7670
Vulnerability from csaf_redhat
Published
2024-10-10 11:49
Modified
2025-03-28 11:00
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.8.6.SP1 Security Update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability. For
more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.8.6.SP1 contains security updates. For more information, see the release notes
page listed in the References section.
Security Fix(es):
* com.google.protobuf/protobuf: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)
* org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)
* com.graphql-java.graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java (CVE-2024-40094)
* org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) (CVE-2024-47561)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus. \nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability. For\nmore information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.8.6.SP1 contains security updates. For more information, see the release notes\npage listed in the References section.\n\nSecurity Fix(es):\n\n* com.google.protobuf/protobuf: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)\n\n* org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication (CVE-2021-44549)\n\n* com.graphql-java.graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java (CVE-2024-40094)\n\n* org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) (CVE-2024-47561)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:7670",
"url": "https://access.redhat.com/errata/RHSA-2024:7670"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.8",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.8"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7670.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.8.6.SP1 Security Update",
"tracking": {
"current_release_date": "2025-03-28T11:00:39+00:00",
"generator": {
"date": "2025-03-28T11:00:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.2"
}
},
"id": "RHSA-2024:7670",
"initial_release_date": "2024-10-10T11:49:18+00:00",
"revision_history": [
{
"date": "2024-10-10T11:49:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-10-10T11:49:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-28T11:00:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.8",
"product": {
"name": "Red Hat build of Quarkus 3.8",
"product_id": "Red Hat build of Quarkus 3.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.8::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-44549",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2024-10-01T01:34:34.576000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2315808"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Sling Commons Messaging Mail(angus-mail), which provides a simple interface for sending emails via SMTPS in OSGi, does not offer an option to enable server identity checks, leaving connections vulnerable to \"man-in-the-middle\" attacks and can allow insecure email communication.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability should be considered of important severity rather than moderate because it directly impacts the integrity and confidentiality of email communications over SMTPS. By disabling server identity checks, it leaves the communication channel vulnerable to \"man-in-the-middle\" (MITM) attacks, where an attacker could intercept, alter, or eavesdrop on email traffic by impersonating the legitimate mail server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44549"
},
{
"category": "external",
"summary": "RHBZ#2315808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44549",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44549"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549"
}
],
"release_date": "2023-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T11:49:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7670"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication"
},
{
"cve": "CVE-2024-7254",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2024-09-19T01:20:29.981665+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2313454"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-7254"
},
{
"category": "external",
"summary": "RHBZ#2313454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
"url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
}
],
"release_date": "2024-09-19T01:15:10.963000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T11:49:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7670"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
},
{
"cve": "CVE-2024-40094",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2024-07-30T07:20:08+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2301456"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in GraphQL Java, affecting versions prior to 21.5. This flaw allows an attacker to perform a denial of service (DoS) attack via introspection queries. The issue arises due to the improper handling of ExecutableNormalizedFields (ENFs), which are not adequately considered during the introspection query process. This issue could lead to resource exhaustion and service disruption under certain conditions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-40094"
},
{
"category": "external",
"summary": "RHBZ#2301456",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301456"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-40094",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40094"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-40094",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40094"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a",
"url": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/discussions/3641",
"url": "https://github.com/graphql-java/graphql-java/discussions/3641"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/pull/3539",
"url": "https://github.com/graphql-java/graphql-java/pull/3539"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11",
"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9",
"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9"
},
{
"category": "external",
"summary": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5",
"url": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5"
}
],
"release_date": "2024-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T11:49:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7670"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java"
},
{
"cve": "CVE-2024-47561",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2024-10-02T14:04:06.018000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2316116"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-47561"
},
{
"category": "external",
"summary": "RHBZ#2316116",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561"
}
],
"release_date": "2024-10-03T12:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-10-10T11:49:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:7670"
},
{
"category": "workaround",
"details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.",
"product_ids": [
"Red Hat build of Quarkus 3.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.