RedHat: RHSA-2021-3851:01 Important: Red Hat 3scale API Management 2.11.0
Summary
Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.
This advisory is intended to use with Container Images, for Red Hat 3scale
API Management 2.11.0.
Security Fixes:
* PT RHOAM: XSS in 3scale at various places (CVE-2021-3442)
* aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang
(CVE-2020-8911)
* aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang
(CVE-2020-8912)
For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
pages listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management
/2.11/html-single/installing_3scale/index
References
https://access.redhat.com/security/cve/CVE-2020-8911 https://access.redhat.com/security/cve/CVE-2020-8912 https://access.redhat.com/security/cve/CVE-2021-3442 https://access.redhat.com/security/cve/CVE-2021-3653 https://access.redhat.com/security/cve/CVE-2021-3715 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-27218 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#important
Package List
Topic
Red Hat 3scale API Management 2.11.0 Release - Container ImagesA security update for Red Hat 3scale API Management is now available fromthe Red Hat Container Catalog.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilitylisted as CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1869800 - CVE-2020-8911 aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang
1869801 - CVE-2020-8912 aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang
1930083 - CVE-2021-3442 PT RHOAM: XSS in 3scale at various places