{ "threat_severity" : "Moderate", "public_date" : "2022-12-12T00:00:00Z", "bugzilla" : { "description" : "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", "id" : "2153379", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2153379" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-674", "details" : [ "Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.", "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS)." ], "affected_release" : [ { "product_name" : "CEQ 2.13.2-1", "release_date" : "2023-02-21T00:00:00Z", "advisory" : "RHSA-2023:0888", "cpe" : "cpe:/a:redhat:camel_quarkus:2.13", "package" : "codec-haproxy" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-05-31T00:00:00Z", "advisory" : "RHSA-2023:3373", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-container-rhel8:1.1-7" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-05-31T00:00:00Z", "advisory" : "RHSA-2023:3374", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "io.netty-netty-parent" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-05-31T00:00:00Z", "advisory" : "RHSA-2023:3374", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "org.jboss.windup.plugin-windup-maven-plugin-parent" }, { "product_name" : "MTA-6.2-RHEL-9", "release_date" : "2023-08-14T00:00:00Z", "advisory" : "RHSA-2023:4627", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package" : "mta/mta-windup-addon-rhel9:6.2.0-11" }, { "product_name" : "Red Hat build of Eclipse Vert.x 4.3.7", "release_date" : "2023-02-16T00:00:00Z", "advisory" : "RHSA-2023:0577", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "codec-haproxy" }, { "product_name" : "Red Hat build of Quarkus", "release_date" : "2023-02-14T00:00:00Z", "advisory" : "RHSA-2023:0758", "cpe" : "cpe:/a:redhat:quarkus:2.13" }, { "product_name" : "Red Hat Data Grid 8.4.1", "release_date" : "2023-02-09T00:00:00Z", "advisory" : "RHSA-2023:0713", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "package" : "codec-haproxy" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "codec-haproxy" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1516", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "codec-haproxy" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1513", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1514", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1512", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-netty-0:4.1.86-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2713", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6.3", "package" : "codec-haproxy" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2705", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2706", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2707", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-05-10T00:00:00Z", "advisory" : "RHSA-2023:2710", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-22" }, { "product_name" : "RHINT Camel-Springboot 3.20.1", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2100", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.20.1", "package" : "codec-haproxy" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Will not fix", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Affected", "package_name" : "io.netty-netty-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Affected", "package_name" : "org.jboss.windup.plugin-windup-maven-plugin-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Affected", "package_name" : "org.jboss.windup-windup-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup-windup-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Will not fix", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Will not fix", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "codec-haproxy", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-41881\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41881" ], "name" : "CVE-2022-41881", "csaw" : false }