RHSA-2021:4767-03: Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update

Red Hat 8887 Published by

Red Hat Integration Camel Extensions for Quarkus GA security update has been released.



RHSA-2021:4767-03: Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update
Advisory ID: RHSA-2021:4767-01
Product: Red Hat Integration
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:4767
Issue date: 2021-11-23
CVE Names: CVE-2020-13936 CVE-2020-14326 CVE-2020-26217
CVE-2020-26258 CVE-2020-26259 CVE-2020-27218
CVE-2020-27223 CVE-2020-28052 CVE-2020-28491
CVE-2021-3629 CVE-2021-3642 CVE-2021-3690
CVE-2021-20289 CVE-2021-20328 CVE-2021-21341
CVE-2021-21342 CVE-2021-21343 CVE-2021-21344
CVE-2021-21345 CVE-2021-21346 CVE-2021-21347
CVE-2021-21348 CVE-2021-21349 CVE-2021-21350
CVE-2021-21351 CVE-2021-27568 CVE-2021-28163
CVE-2021-28164 CVE-2021-28165 CVE-2021-28169
CVE-2021-29429 CVE-2021-29505 CVE-2021-34428
CVE-2021-39139 CVE-2021-39140 CVE-2021-39141
CVE-2021-39144 CVE-2021-39145 CVE-2021-39146
CVE-2021-39147 CVE-2021-39148 CVE-2021-39149
CVE-2021-39150 CVE-2021-39151 CVE-2021-39152
CVE-2021-39153 CVE-2021-39154
=====================================================================

1. Summary:

Red Hat Integration Camel Extensions for Quarkus 2.2 is now GA. The purpose
of this text-only errata is to inform you about the security issues fixed
since the tech preview 2 release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Camel Extensions for Quarkus - 2.2 GA
serves as a replacement for tech-preview 2, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* jetty (CVE-2021-28163, CVE-2020-27218, CVE-2020-27223, CVE-2021-28164,
CVE-2021-28169, CVE-2021-28165, CVE-2021-34428, CVE-2021-34428)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* xstream (CVE-2021-39144, CVE-2021-39141, CVE-2021-39154, CVE-2021-39153,
CVE-2021-39152, CVE-2021-39151, CVE-2021-39150, CVE-2021-39149,
CVE-2021-39148, CVE-2021-39147, CVE-2021-39146, CVE-2021-39145,
CVE-2021-39140, CVE-2021-39139, CVE-2021-21351, CVE-2021-21350,
CVE-2021-21349, CVE-2021-21348, CVE-2021-21347, CVE-2021-21346,
CVE-2021-21345, CVE-2021-21344, CVE-2021-21343, CVE-2021-21342,
CVE-2021-21341, CVE-2021-29505, CVE-2020-26259, CVE-2020-26258,
CVE-2020-26217)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

* resteasy-core: resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)

* undertow: buffer leak on incoming websocket PONG message may lead to DoS
(CVE-2021-3690)

* mongodb-driver: mongo-java-driver: client-side field level encryption not
verifying KMS host name (CVE-2021-20328)

* gradle: information disclosure through temporary directory permissions
(CVE-2021-29429)

* json-smart: uncaught exception may lead to crash or information
disclosure (CVE-2021-27568)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)

* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1949636 - CVE-2021-29429 gradle: information disclosure through temporary directory permissions
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

5. References:

  https://access.redhat.com/security/cve/CVE-2020-13936
  https://access.redhat.com/security/cve/CVE-2020-14326
  https://access.redhat.com/security/cve/CVE-2020-26217
  https://access.redhat.com/security/cve/CVE-2020-26258
  https://access.redhat.com/security/cve/CVE-2020-26259
  https://access.redhat.com/security/cve/CVE-2020-27218
  https://access.redhat.com/security/cve/CVE-2020-27223
  https://access.redhat.com/security/cve/CVE-2020-28052
  https://access.redhat.com/security/cve/CVE-2020-28491
  https://access.redhat.com/security/cve/CVE-2021-3629
  https://access.redhat.com/security/cve/CVE-2021-3642
  https://access.redhat.com/security/cve/CVE-2021-3690
  https://access.redhat.com/security/cve/CVE-2021-20289
  https://access.redhat.com/security/cve/CVE-2021-20328
  https://access.redhat.com/security/cve/CVE-2021-21341
  https://access.redhat.com/security/cve/CVE-2021-21342
  https://access.redhat.com/security/cve/CVE-2021-21343
  https://access.redhat.com/security/cve/CVE-2021-21344
  https://access.redhat.com/security/cve/CVE-2021-21345
  https://access.redhat.com/security/cve/CVE-2021-21346
  https://access.redhat.com/security/cve/CVE-2021-21347
  https://access.redhat.com/security/cve/CVE-2021-21348
  https://access.redhat.com/security/cve/CVE-2021-21349
  https://access.redhat.com/security/cve/CVE-2021-21350
  https://access.redhat.com/security/cve/CVE-2021-21351
  https://access.redhat.com/security/cve/CVE-2021-27568
  https://access.redhat.com/security/cve/CVE-2021-28163
  https://access.redhat.com/security/cve/CVE-2021-28164
  https://access.redhat.com/security/cve/CVE-2021-28165
  https://access.redhat.com/security/cve/CVE-2021-28169
  https://access.redhat.com/security/cve/CVE-2021-29429
  https://access.redhat.com/security/cve/CVE-2021-29505
  https://access.redhat.com/security/cve/CVE-2021-34428
  https://access.redhat.com/security/cve/CVE-2021-39139
  https://access.redhat.com/security/cve/CVE-2021-39140
  https://access.redhat.com/security/cve/CVE-2021-39141
  https://access.redhat.com/security/cve/CVE-2021-39144
  https://access.redhat.com/security/cve/CVE-2021-39145
  https://access.redhat.com/security/cve/CVE-2021-39146
  https://access.redhat.com/security/cve/CVE-2021-39147
  https://access.redhat.com/security/cve/CVE-2021-39148
  https://access.redhat.com/security/cve/CVE-2021-39149
  https://access.redhat.com/security/cve/CVE-2021-39150
  https://access.redhat.com/security/cve/CVE-2021-39151
  https://access.redhat.com/security/cve/CVE-2021-39152
  https://access.redhat.com/security/cve/CVE-2021-39153
  https://access.redhat.com/security/cve/CVE-2021-39154
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q4/html-single/getting_started_with_camel_quarkus_extensions/
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q4

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.

Fedora 34 Update: roundcubemail-1.4.12-1.fc34

openSUSE-SU-2021:3772-1: important: Security update for redis

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...