Multiple vulnerabilities in OpenShift Serverless
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2022-21296 CVE-2022-24407 CVE-2022-21366 CVE-2022-21365 CVE-2022-21360 CVE-2022-21341 CVE-2022-21340 CVE-2022-21305 CVE-2022-21299 CVE-2022-21294 CVE-2021-44716 CVE-2022-21293 CVE-2022-21291 CVE-2022-21283 CVE-2022-21282 CVE-2022-21277 CVE-2022-21248 CVE-2021-3712 CVE-2021-3521 CVE-2021-44717 |
| CWE-ID | CWE-20 CWE-89 CWE-125 CWE-347 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Red Hat OpenShift Serverless Server applications / Virtualization software |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU59726
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21296
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) SQL injection
EUVDB-ID: #VU60842
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-24407
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of password in the SQL plugin shipped with Cyrus SASL. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Improper input validation
EUVDB-ID: #VU59724
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21366
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Improper input validation
EUVDB-ID: #VU59723
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21365
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
5) Improper input validation
EUVDB-ID: #VU59722
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21360
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
6) Improper input validation
EUVDB-ID: #VU59733
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21341
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
7) Improper input validation
EUVDB-ID: #VU59732
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21340
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
8) Improper input validation
EUVDB-ID: #VU59720
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21305
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
9) Improper input validation
EUVDB-ID: #VU59727
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21299
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
10) Improper input validation
EUVDB-ID: #VU59731
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21294
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
11) Input validation error
EUVDB-ID: #VU58824
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-44716
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
12) Improper input validation
EUVDB-ID: #VU59730
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21293
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
13) Improper input validation
EUVDB-ID: #VU59719
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21291
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
14) Improper input validation
EUVDB-ID: #VU59729
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21283
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
15) Improper input validation
EUVDB-ID: #VU59725
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21282
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
16) Improper input validation
EUVDB-ID: #VU59721
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-21277
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
17) Improper input validation
EUVDB-ID: #VU59734
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2022-21248
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
18) Out-of-bounds read
EUVDB-ID: #VU56064
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-3712
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing ASN.1 strings related to a confusion with NULL termination of strings in array. A remote attacker can pass specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
Install updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
19) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU59993
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-3521
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an error in RPM's signature functionality, as RPM does not check the binding signature of subkeys before importing them. A remote attacker with ability to add malicious subkey to a legitimate public key can run malicious code on the system.
Install updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
20) Resource exhaustion
EUVDB-ID: #VU59042
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2021-44717
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 requests. A remote attacker can send multiple HTTP/2 requests to the server and exhaust all available memory resources.
Install updates from vendor's website.
Red Hat OpenShift Serverless: 1.0.0 - 1.20.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2022:1051
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
