Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Red Hat Integration: RHSA-2021-3207-01 Moderate Remote Code Exec Risk

red hat
Calendar Grey August 18, 2021
Dist Redhat Esm H88
Important security update for Red Hat Integration Camel Quarkus mitigating various vulnerabilities identified in this version.
An update to the Red Hat Integration Camel Quarkus tech preview is now available

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2 serves as a replacement for tech-preview 1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution (CVE-2020-26238)
* californium-core: DTLS - DoS vulnerability for certificate based handshakes (CVE-2020-27222)
* undertow: special character in query results in server errors(CVE-2020-27782)
* activemq: improper authentication allows MITM attack (CVE-2020-13920)
* flink: apache-flink: directory traversal attack allows remote file writing through the REST API (CVE-2020-17518)
* groovy: OS temporary directory leads to information disclosure (CVE-2020-17521)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218)
* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure (CVE-2020-29582)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory remote code execution DoS moderate impact information disclosure red hat integration camel quarkus

References

https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-17521 https://access.redhat.com/security/cve/CVE-2020-26238 https://access.redhat.com/security/cve/CVE-2020-27222 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2021-20218 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3

Package List


Advisory ID: RHSA-2021:3207-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3207
Issue date: 2021-08-18

Topic

An update to the Red Hat Integration Camel Quarkus tech preview is nowavailable. The purpose of this text-only errata is to inform you about thesecurity issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory remote code execution DoS moderate impact information disclosure red hat integration camel quarkus

Relevant Releases Architectures

Bugs Fixed

1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack

1901304 - CVE-2020-27782 undertow: special character in query results in server errors1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution

1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API

1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure

1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise

1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes

1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here