Bug 2155682 (CVE-2022-46364)
| Summary: | CVE-2022-46364 Apache CXF: SSRF Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dkreling, dosoudil, emingora, fjuma, fmongiar, gjospin, gmalinko, gsmet, gtedorst, hamadhan, ibek, ivassile, iweiss, janstey, jcantril, jnethert, jolee, jpavlik, jpoth, jrokos, jschatte, jstastny, jwon, kverlaen, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, sfowler, smaestri, sthorger, tcunning, tom.jenkinson, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Apache CXF 3.5.5, Apache CXF 3.4.10 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-02-02 07:55:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2153018 | ||
|
Description
Zack Miele
2022-12-21 21:18:19 UTC
This issue has been addressed in the following products: EAP 7.4 async Via RHSA-2023:0164 https://access.redhat.com/errata/RHSA-2023:0164 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:0163 https://access.redhat.com/errata/RHSA-2023:0163 This issue has been addressed in the following products: Red Hat Fuse 7.11.1.P1 Via RHSA-2023:0483 https://access.redhat.com/errata/RHSA-2023:0483 This issue has been addressed in the following products: RHINT Camel-Springboot 3.14.5.P1 Via RHSA-2023:0544 https://access.redhat.com/errata/RHSA-2023:0544 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:0553 https://access.redhat.com/errata/RHSA-2023:0553 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:0552 https://access.redhat.com/errata/RHSA-2023:0552 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:0554 https://access.redhat.com/errata/RHSA-2023:0554 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2023:0556 https://access.redhat.com/errata/RHSA-2023:0556 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-46364 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 This issue has been addressed in the following products: Migration Toolkit for Runtimes 1 on RHEL 8 Via RHSA-2023:1285 https://access.redhat.com/errata/RHSA-2023:1285 This issue has been addressed in the following products: Migration Toolkit for Runtimes 1 on RHEL 8 Via RHSA-2023:1286 https://access.redhat.com/errata/RHSA-2023:1286 This issue has been addressed in the following products: MTA-6.1-RHEL-8 Via RHSA-2023:2041 https://access.redhat.com/errata/RHSA-2023:2041 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:2135 This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3.P2 Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641 The RH-SSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite. This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2024:10208 https://access.redhat.com/errata/RHSA-2024:10208 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207 |