RedHat: RHSA-2021-3207:01 Moderate: Red Hat Integration Camel Quarkus
Summary
This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2
serves as a replacement for tech-preview 1, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.
Security Fix(es):
* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)
* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)
* undertow: special character in query results in server errors(CVE-2020-27782)
* activemq: improper authentication allows MITM attack (CVE-2020-13920)
* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)
* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)
* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-17521 https://access.redhat.com/security/cve/CVE-2020-26238 https://access.redhat.com/security/cve/CVE-2020-27222 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2021-20218 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3
Package List
Topic
An update to the Red Hat Integration Camel Quarkus tech preview is nowavailable. The purpose of this text-only errata is to inform you about thesecurity issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure