Red Hat Security Advisory 2022-6407-01 - A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Issues addressed include denial of service, information leakage, integer overflow, and resource exhaustion vulnerabilities.
cc86bb2ed063a9b8609ef6960b486d0a7bff3be7ef9e7f5716ccc3523480f3ed-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Integration Camel-K 1.8 security update
Advisory ID: RHSA-2022:6407-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6407
Issue date: 2022-09-09
CVE Names: CVE-2020-9492 CVE-2020-27223 CVE-2020-36518
CVE-2021-2471 CVE-2021-3520 CVE-2021-3629
CVE-2021-20289 CVE-2021-22132 CVE-2021-22137
CVE-2021-28163 CVE-2021-28164 CVE-2021-28165
CVE-2021-37714 CVE-2021-38153 CVE-2021-40690
=====================================================================
1. Summary:
A minor version update is now available for Red Hat Integration Camel K.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
A minor version update is now available for Red Hat Camel K that includes
CVE fixes in the base images, which are documented in the Release Notes
document linked in the References section.
Security Fix(es):
* hadoop: WebHDFS client might send SPNEGO authorization header
(CVE-2020-9492)
* jetty: request containing multiple Accept headers with a large number of
"quality" parameters may lead to DoS (CVE-2020-27223)
* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* lz4: memory corruption due to an integer overflow bug caused by memmove
argument (CVE-2021-3520)
* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)
* elasticsearch: executing async search improperly stores HTTP headers
leading to information disclosure (CVE-2021-22132)
* jetty: Symlink directory exposes webapp directory contents
(CVE-2021-28163)
* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
* jetty: Resource exhaustion when receiving an invalid large TLS frame
(CVE-2021-28165)
* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)
* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
(CVE-2021-38153)
* xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)
* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)
* elasticsearch: Document disclosure flaw when Document or Field Level
Security is used (CVE-2021-22137)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
5. References:
https://access.redhat.com/security/cve/CVE-2020-9492
https://access.redhat.com/security/cve/CVE-2020-27223
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-22132
https://access.redhat.com/security/cve/CVE-2021-22137
https://access.redhat.com/security/cve/CVE-2021-28163
https://access.redhat.com/security/cve/CVE-2021-28164
https://access.redhat.com/security/cve/CVE-2021-28165
https://access.redhat.com/security/cve/CVE-2021-37714
https://access.redhat.com/security/cve/CVE-2021-38153
https://access.redhat.com/security/cve/CVE-2021-40690
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q3
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYxs70NzjgjWX9erEAQjJwA//SOV45S61jVwW0rWlStVD30gzBi4G/Smq
hg/CV6OSMKd+SL5jivW1PPh1T6D30LEWCP4GnLSpDCx36MWGV8QOEL1e2PXAXJK3
vQJbqAHjqIIERY41KJrCBZQ+jUQx1mlev6JRfOP+xvK9lCuwtk/FfhciDEBzbrJA
OG6TLpSxHd8a9sqX0uT8WfXLAiJcU5ZShG87a6ZWfK/b7zvw54TD+V2VX8ob1CKB
UCQZV2z7uzCopDqsfb1br3CMLj28WLCgyWdXM12SX+NPI0YZ+a9+zwAUnnT/Pumg
Qy70O9l7Kr0/RcAiZYk05HG/EBq+dUg2KUkHCOZ+JtiC0wBwYXSLiJI2BQWQj2Zq
NbQ8NQMVWBVslvOtP9CDQSthYjGDHZdyqBSXBFdmrevxbjcg+w8UrF6dMM67fbNs
GPd5y9KgySeoWTmMdkfnBOrsiFXHkWcWvErKX3xn0DniLVFYlesIA5omETvLWzPc
F/KJgb5nj/ObigbfLZo/kAd8zPX3atSatl6CZOejqly6irhTIfIMywkaNjJXU87p
2MuaIyyZyMIvTOaPDhPoE/nGTj8B0fBoOLxFmDirNLcsJXOKLFgPIQnU5r/X0bb8
lcoSrbHvbLHFTf0uTmVRepInph/+JWZ+phGBY/KeoMYY7KTmR5/RUR5smqych3Y7
UtgibM+BGsU=
=nU0B
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed