The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Created snakeyaml tracking bugs for this issue: Affects: epel-all [bug 2126792] Affects: fedora-all [bug 2126793] Created texlive-base tracking bugs for this issue: Affects: fedora-all [bug 2126794]
Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to fix this CVE in RHEL 8. Can we get an update to this package to patch this CVE? https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218
(In reply to spencer.deehring from comment #8) > Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to > fix this CVE in RHEL 8. Can we get an update to this package to patch this > CVE? > > https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218 A rebuild with the new snakeyaml is in progress. See bug #2128477
This issue has been addressed in the following products: Red Hat build of Eclipse Vert.x 4.3.3 Via RHSA-2022:6757 https://access.redhat.com/errata/RHSA-2022:6757
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2022:6823 https://access.redhat.com/errata/RHSA-2022:6823
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:6821 https://access.redhat.com/errata/RHSA-2022:6821
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:6822 https://access.redhat.com/errata/RHSA-2022:6822
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:6825 https://access.redhat.com/errata/RHSA-2022:6825
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6820 https://access.redhat.com/errata/RHSA-2022:6820
For RHEL-8 it's downgraded to moderate because "snakeyaml" itself in RHEL 8 or RHEL-9 isn't shipped and "prometheus-jmx-exporter" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate. https://access.redhat.com/security/updates/classification/#moderate
This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
This issue has been addressed in the following products: Red Hat build of Quarkus Platform 2.7.6.SP1 Via RHSA-2022:6941 https://access.redhat.com/errata/RHSA-2022:6941
I see that package prometheus-jmx-exporter has been updated in RHEL 8 to 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package prometheus-jmx-exporter-openjdk8 has not been updated and still contains this CVE. Are there plans to resolve this?
(In reply to spencer.deehring from comment #28) > I see that package prometheus-jmx-exporter has been updated in RHEL 8 to > 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package > prometheus-jmx-exporter-openjdk8 has not been updated and still contains > this CVE. Are there plans to resolve this? Sorry about that. This should not have happened. I'll get motions started to get relevant sub-package builds pushed as well. Appropriate root-cause analysis is ongoing why this happened in the first place. Thanks for letting us know!
(In reply to spencer.deehring from comment #28) > I see that package prometheus-jmx-exporter has been updated in RHEL 8 to > 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package > prometheus-jmx-exporter-openjdk8 has not been updated and still contains > this CVE. Are there plans to resolve this? This should be fixed now: [root@f3e8264d55a2 /]# dnf install prometheus-jmx-exporter-openjdk8 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Red Hat Universal Base Image 8 (RPMs) - BaseOS 2.2 MB/s | 811 kB 00:00 Red Hat Universal Base Image 8 (RPMs) - AppStream 6.1 MB/s | 3.0 MB 00:00 Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder 119 kB/s | 20 kB 00:00 Dependencies resolved. ============================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================== Installing: prometheus-jmx-exporter-openjdk8 noarch 0.12.0-8.el8_6 ubi-8-appstream-rpms 8.3 k Installing dependencies: avahi-libs x86_64 0.7-20.el8 ubi-8-baseos-rpms 62 k copy-jdk-configs noarch 4.0-2.el8 ubi-8-appstream-rpms 31 k cups-libs x86_64 1:2.2.6-45.el8_6.2 ubi-8-baseos-rpms 435 k freetype x86_64 2.9.1-4.el8_3.1 ubi-8-baseos-rpms 394 k java-1.8.0-openjdk-headless x86_64 1:1.8.0.352.b08-2.el8_6 ubi-8-appstream-rpms 34 M javapackages-filesystem noarch 5.3.0-1.module+el8+2447+6f56d9a6 ubi-8-appstream-rpms 30 k libjpeg-turbo x86_64 1.5.3-12.el8 ubi-8-appstream-rpms 157 k libpng x86_64 2:1.6.34-5.el8 ubi-8-baseos-rpms 126 k lksctp-tools x86_64 1.0.18-3.el8 ubi-8-baseos-rpms 100 k lua x86_64 5.3.4-12.el8 ubi-8-appstream-rpms 192 k nspr x86_64 4.34.0-3.el8_6 ubi-8-appstream-rpms 143 k nss x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 747 k nss-softokn x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 1.2 M nss-softokn-freebl x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 398 k nss-sysinit x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 75 k nss-util x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 139 k prometheus-jmx-exporter noarch 0.12.0-8.el8_6 ubi-8-appstream-rpms 486 k tzdata-java noarch 2022e-1.el8 ubi-8-appstream-rpms 186 k Enabling module streams: javapackages-runtime 201801 Transaction Summary ============================================================================================================================================================================================================================================== Install 19 Packages Total download size: 39 M Installed size: 129 M Is this ok [y/N]: n
This issue has been addressed in the following products: Red Hat Data Grid 8.4.0 Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524
This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
This issue has been addressed in the following products: RHINT Camel-Springboot 3.20.1 Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3.P2 Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641
This issue has been addressed in the following products: RHPAM 7.13.4 async Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288
This issue has been addressed in the following products: AMQ Clients 3.y for RHEL 8 AMQ Clients 3.y for RHEL 9 Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2025:4226 https://access.redhat.com/errata/RHSA-2025:4226
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2025:4437 https://access.redhat.com/errata/RHSA-2025:4437