RedHat: RHSA-2021-0433:01 Moderate: Red Hat Data Grid 8.1.1 security update
Summary
Red Hat Data Grid is a distributed, in-memory data store.
This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat
Data Grid 8.1.0, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.
Security Fix(es):
* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)
* XStream: remote code execution due to insecure XML deserialization when
relying on blocklists (CVE-2020-26217)
* infinispan: authorization check missing for server management operations
(CVE-2020-25711)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to
this version.
The References section of this erratum contains a download link (you must
log in to download the update).
References
https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/cve/CVE-2020-25711 https://access.redhat.com/security/cve/CVE-2020-26217 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.1 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/
Package List
Topic
A security update for Red Hat Data Grid is now available.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists