First published: Thu Jan 26 2023(Updated: )
Security Fix(es):<br><li> jib-core: RCE via the isDockerInstalled (CVE-2022-25914)</li> <li> Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)</li> <li> nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)</li> <li> loader-utils: Regular expression denial of service (CVE-2022-37603)</li> <li> jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)</li> <li> jackson-databind: use of deeply nested arrays (CVE-2022-42004)</li> For more details about the security issue(s), including the impact, a CVSS<br>score, acknowledgments, and other related information, refer to the CVE<br>page listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
RHSA-2023:0471 includes security fixes for remote code execution in jib-core, arbitrary bytecode production in Apache-Commons-BCEL, and regular expression denial of service in nodejs-minimatch.
To address CVE-2022-25914, ensure that you update your jib-core package to the latest version provided in RHSA-2023:0471.
CVE-2022-42920 poses a risk of arbitrary bytecode execution due to out-of-bounds writing in Apache-Commons-BCEL, which can lead to serious security vulnerabilities.
To mitigate CVE-2022-3517, you should update the nodejs-minimatch package to the patched version included in RHSA-2023:0471.
The affected software for RHSA-2023:0471 can be found in the update advisory released by Red Hat, detailing which products and versions are impacted.