{ "threat_severity" : "Important", "public_date" : "2022-11-04T00:00:00Z", "bugzilla" : { "description" : "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", "id" : "2142707", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2142707" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.", "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected." ], "statement" : "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", "affected_release" : [ { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0470", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-operator-bundle:1.0-30" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0470", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-rhel8-operator:1.0-10" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0470", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-container-rhel8:1.0-15" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0470", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "mtr/mtr-web-executor-container-rhel8:1.0-14" }, { "product_name" : "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0471", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package" : "org.jboss.windup-windup-parent" }, { "product_name" : "MTA-6.0-RHEL-8", "release_date" : "2023-02-28T00:00:00Z", "advisory" : "RHSA-2023:0934", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6.0::el8", "package" : "mta/mta-ui-rhel8:6.0.1-10" }, { "product_name" : "Red Hat AMQ Streams 2.7.0", "release_date" : "2024-05-30T00:00:00Z", "advisory" : "RHSA-2024:3527", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2022-12-13T00:00:00Z", "advisory" : "RHSA-2022:8958", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "bcel-0:5.2-19.el7_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-01-02T00:00:00Z", "advisory" : "RHSA-2023:0005", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "bcel-0:6.4.1-9.el9_1" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date" : "2023-01-02T00:00:00Z", "advisory" : "RHSA-2023:0004", "cpe" : "cpe:/a:redhat:rhel_eus:9.0", "package" : "bcel-0:6.4.1-9.el9_0" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "apache-bcel", "impact" : "moderate" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-12-13T00:00:00Z", "advisory" : "RHSA-2022:8959", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-maven36-bcel-0:6.3.1-2.3.el7" }, { "product_name" : "RHPAM 7.13.4 async", "release_date" : "2023-09-05T00:00:00Z", "advisory" : "RHSA-2023:4983", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "apache-bcel" } ], "package_state" : [ { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Affected", "package_name" : "org.jboss.windup-windup-cli-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup.plugin-windup-maven-plugin", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup.plugin-windup-maven-plugin-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup.rules-windup-rulesets", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup.rules-windup-rulesets-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup.web-windup-web-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Affected", "package_name" : "org.jboss.windup-windup-cli-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "apache-bcel", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "apache-bcel", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "apache-bcel", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "bcel", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "bcel", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7", "impact" : "low" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "bcel", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "apache-bcel", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "apache-bcel", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Affected", "package_name" : "apache-bcel", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-42920\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-42920\nhttps://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4" ], "name" : "CVE-2022-42920", "csaw" : false }