RedHat: RHSA-2021-3205:01 Moderate: Red Hat Integration Camel-K 1.4 release
Summary
A minor version update (from 1.3 to 1.4) is now available for Red Hat Camel
K that includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)
* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)
* undertow: special character in query results in server errors(CVE-2020-27782)
* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)
* activemq: improper authentication allows MITM attack (CVE-2020-13920)
* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)
* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)
* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-27807)
* cxf-rt-rs-json-basic: CXF: Denial of service vulnerability in parsing
JSON via JsonMapObjectReaderWriter (CVE-2021-30468)
* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)
* pdfbox: OutOfMemory-Exception while loading a crafted PDF file
(CVE-2021-27906)
* pdfbox: OutOfMemory-Exception while loading a crafted PDF file
(CVE-2021-31811)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-17521 https://access.redhat.com/security/cve/CVE-2020-26238 https://access.redhat.com/security/cve/CVE-2020-27222 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2021-20218 https://access.redhat.com/security/cve/CVE-2021-27807 https://access.redhat.com/security/cve/CVE-2021-27906 https://access.redhat.com/security/cve/CVE-2021-30468 https://access.redhat.com/security/cve/CVE-2021-31811 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html/getting_started_with_camel_k/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3
Package List
Topic
A minor version update (from 1.3 to 1.4) is now available for Red HatIntegration Camel K that includes bug fixes and enhancements. The purposeof this text-only errata is to inform you about the security issues fixedin this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file
1971648 - CVE-2021-31811 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter