{ "threat_severity" : "Moderate", "public_date" : "2022-10-28T00:00:00Z", "bugzilla" : { "description" : "drools: unsafe data deserialization in StreamUtils", "id" : "2065505", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2065505" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.", "A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server." ], "acknowledgement" : "Red Hat would like to thank Paulino Calderon (Websec) for reporting this issue.", "affected_release" : [ { "product_name" : "RHPAM 7.13.1 async", "release_date" : "2022-10-05T00:00:00Z", "advisory" : "RHSA-2022:6813", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } ], "package_state" : [ { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "impact" : "moderate" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "drools-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1415\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1415" ], "name" : "CVE-2022-1415", "csaw" : false }