A Red Hat Process Automation Manager 7.13.0 security update has been released.

RHSA-2022:5903-01: Moderate: Red Hat Process Automation Manager 7.13.0 security update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Process Automation Manager 7.13.0 security update
Advisory ID: RHSA-2022:5903-01
Product: Red Hat Process Automation Manager
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:5903
Issue date: 2022-08-04
CVE Names: CVE-2021-2471 CVE-2021-3642 CVE-2021-3644
CVE-2021-3717 CVE-2021-22569 CVE-2021-36373
CVE-2021-37136 CVE-2021-37137 CVE-2021-37714
CVE-2021-43797 CVE-2022-22950 CVE-2022-25647
=====================================================================

1. Summary:

An update is now available for Red Hat Process Automation Manager.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Process Automation Manager is an open source business process
management suite that combines process management and decision service
management and enables business and IT users to create, manage, validate,
and deploy process applications and decision services.

This asynchronous security patch is an update to Red Hat Process Automation
Manager 7.

Security Fix(es):

* com.google.code.gson-gson: Deserialization of Untrusted Data in
com.google.code.gson-gson (CVE-2022-25647)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* protobuf-java: potential DoS in the parsing procedure for binary data
(CVE-2021-22569)

* spring-expression: Denial of service via specially crafted SpEL
expression (CVE-2022-22950)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving
access to all the local users (CVE-2021-3717)

* ant: excessive memory allocation when reading a specially crafted TAR
archive (CVE-2021-36373)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)

* wildfly-core: Invalid Sensitivity Classification of Vault Expression
(CVE-2021-3644)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For on-premise installations, before applying the update, back up your
existing installation, including all applications, configuration files,
databases and database settings, and so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (  https://bugzilla.redhat.com/):

1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1982336 - CVE-2021-36373 ant: excessive memory allocation when reading a specially crafted TAR archive
1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

5. References:

  https://access.redhat.com/security/cve/CVE-2021-2471
  https://access.redhat.com/security/cve/CVE-2021-3642
  https://access.redhat.com/security/cve/CVE-2021-3644
  https://access.redhat.com/security/cve/CVE-2021-3717
  https://access.redhat.com/security/cve/CVE-2021-22569
  https://access.redhat.com/security/cve/CVE-2021-36373
  https://access.redhat.com/security/cve/CVE-2021-37136
  https://access.redhat.com/security/cve/CVE-2021-37137
  https://access.redhat.com/security/cve/CVE-2021-37714
  https://access.redhat.com/security/cve/CVE-2021-43797
  https://access.redhat.com/security/cve/CVE-2022-22950
  https://access.redhat.com/security/cve/CVE-2022-25647
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.