RedHat: RHSA-2021-2039:01 Moderate: Service Registry (container images)
Summary
This release of Red Hat Integration - Service registry 1.1.1.GA serves as a
replacement for 1.1.0.GA, and includes the below security fixes.
Security Fix(es):
* hibernate-core: SQL injection vulnerability when both
hibernate.use_sql_comments and JPQL String literals are used
(CVE-2020-25638)
* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)
* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/cve/CVE-2020-25638 https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#moderate https://catalog.redhat.com/software/container-stacks/detail/5ef2818e7dc79430ca5f4fd2
Package List
Topic
An update to the images for Red Hat Integration Service Registry is nowavailable from the Red Hat Container Catalog. The purpose of this text-onlyerrata is to inform you about the security issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1881353 - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)