RHSA-2024:0722 - Security Advisory

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.2.10 includes security updates,
bug fixes, and enhancements. For more information, see the release notes page
listed in the References section.

Security Fix(es):

• CVE-2023-22102 mysql/mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2023) [quarkus-3.2]
• CVE-2023-48795 org.apache.sshd/sshd-core: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [quarkus-3.2]
• CVE-2023-4043 org.eclipse.parsson/parsson: Denial of Service due to large number parsing [quarkus-3.2]

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

• BZ - 2254210 - CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
• BZ - 2254594 - CVE-2023-4043 parsson: Denial of Service due to large number parsing
• BZ - 2256474 - CVE-2023-22102 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2023)
• QUARKUS-3791 - Jandex indexing throws an NPE with latest Oracle driver
• QUARKUS-3851 - Upgrade to Hibernate ORM 6.2.18.Final
• QUARKUS-3938 - [3.2] Remove config overriding the parent config
• QUARKUS-3939 - Always set ssl and alpn for non-plain-text with Vert.x gRPC channel
• QUARKUS-3940 - Verify duplicated context handling when caching a Uni
• QUARKUS-3941 - Do not expand config properties for Gradle Workers
• QUARKUS-3942 - Fix Create the Maven project section in security-oidc-bearer-token-authentication-tutorial.adoc
• QUARKUS-3943 - Fixes stork path param resolution in REST Client
• QUARKUS-3944 - Use standard URL when updating the website
• QUARKUS-3945 - Support using commas to add extensions with CLI
• QUARKUS-3946 - Make docs/sync-web-site.sh recoverable
• QUARKUS-3947 - Fix != expression in @PreAuthorize check
• QUARKUS-3948 - Save pathParamValues encoded and perform decoding when requested
• QUARKUS-3949 - Fix Panache bytecode enhancement for `@Embeddable` records
• QUARKUS-3950 - Fix various minor issues in quarkus update
• QUARKUS-3951 - Use batch mode for update-version.sh
• QUARKUS-3952 - Avoid asking for GPG passphrase on CI
• QUARKUS-3953 - Prepare docs/sync-web-site.sh for automated releases
• QUARKUS-3954 - Reactive REST Client: check for ClientRequestFilter when skipping @Provider auto-discovery
• QUARKUS-3955 - Always execute a JPA password action
• QUARKUS-3956 - recognize quarkus.tls.trust-all property by keycloak-admin-client extension
• QUARKUS-3957 - Make analytics tests a bit more resilient
• QUARKUS-3958 - Updates infinispan client intelligence section
• QUARKUS-3959 - Use empty string in Sse event when there is no data
• QUARKUS-3960 - Register methods of RESTeasy reactive parameter containers for reflection
• QUARKUS-3961 - Fix vale errors and some warnings in the OIDC Configuration Properties reference guide
• QUARKUS-3963 - Handle generic types for ParamConverter in REST Client
• QUARKUS-3964 - Fix tracing protocol configuration to only allow grpc

CVEs

• CVE-2023-4043

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.2/
• https://access.redhat.com/articles/4966181