In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. References: https://tanzu.vmware.com/security/cve-2022-22950
services-subscription-watch affected/delegated: services-subscription-watch/rhsm/auto-registration-listener:7fe6e34/org.springframework:spring-expression-5.3.2 https://gitlab.cee.redhat.com/rhsm/automatic-registration/blob/master/pom.xml services-subscription-watch/rhsm/rhsm-auto-registration-listener:7fe6e34/org.springframework:spring-expression-5.3.2 https://gitlab.cee.redhat.com/rhsm/automatic-registration/blob/production/pom.xml services-subscription-watch/rhsm/marketplace-worker:28e1945/org.springframework:spring-expression-5.3.15 https://quay.io/cloudservices/rhsm-subscriptions:28e1945 services-subscription-watch/rhsm/swatch-system-conduit:latest/org.springframework:spring-expression-5.3.15 https://quay.io/cloudservices/swatch-system-conduit:latest
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555
This issue has been addressed in the following products: RHPAM 7.13.0 async Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-22950
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2022:8761 https://access.redhat.com/errata/RHSA-2022:8761