{ "threat_severity" : "Important", "public_date" : "2023-07-12T00:00:00Z", "bugzilla" : { "description" : "okio: GzipSource class improper exception handling", "id" : "2229295", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2229295" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-248", "details" : [ "GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.", "A flaw was found in SquareUp Okio. A class GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This issue may allow a malicious user to start processing a malformed file, which can result in a Denial of Service (DoS)." ], "statement" : "Red Hat JBoss Enterprise Application Platform XP does contain Okio package but is not using GzipSource.java, which is the affected class.\nRed Hat support for Spring Boot is considered low impact as it's used by Dekorate during compilation process and not included in the resulting Jar.", "affected_release" : [ { "product_name" : "Red Hat AMQ Streams 2.5.0", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5165", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat Fuse 7.12.1", "release_date" : "2023-11-15T00:00:00Z", "advisory" : "RHSA-2023:7247", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "okio" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "release_date" : "2024-05-28T00:00:00Z", "advisory" : "RHSA-2024:3385", "cpe" : "cpe:/a:redhat:jbosseapxp", "package" : "okio", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/code-rhel8:3.16-20" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/configbump-rhel8:3.16-4" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/dashboard-rhel8:3.16-27" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/devfileregistry-rhel8:3.16-67" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/devspaces-operator-bundle:3.16-70" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/devspaces-rhel8-operator:3.16-11" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/idea-rhel8:3.16-3" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/imagepuller-rhel8:3.16-3" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/machineexec-rhel8:3.16-6" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/pluginregistry-rhel8:3.16-16" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/server-rhel8:3.16-14" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/traefik-rhel8:3.16-2" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-09-12T00:00:00Z", "advisory" : "RHSA-2024:6667", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/udi-rhel8:3.16-6" }, { "product_name" : "RHPAM 7.13.5 async", "release_date" : "2024-03-18T00:00:00Z", "advisory" : "RHSA-2024:1353", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "okio" } ], "package_state" : [ { "product_name" : "Cryostat 2", "fix_state" : "Not affected", "package_name" : "okio", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "okio", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "okio", "cpe" : "cpe:/a:redhat:jboss_data_grid:8", "impact" : "low" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "okio", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "okio", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "okio", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Will not fix", "package_name" : "okio", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/metrics-hawkular-metrics", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-logging-elasticsearch5", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "openshift3/ose-metrics-hawkular-metrics", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "okio", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat support for Spring Boot", "fix_state" : "Fix deferred", "package_name" : "okio", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "impact" : "low" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "okio", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-3635\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3635" ], "name" : "CVE-2023-3635", "csaw" : false }