Alerts This Week
Warning Icon 1 770
Alerts This Week
Warning Icon 1 770

Red Hat: RHSA-2021:4918-01 moderate: Camel-K Security Update

red hat
Calendar Grey December 2, 2021
Dist Redhat Esm H88
The latest update for Red Hat Integration Camel-K 1.6 addresses several moderate severity vulnerabilities; it also introduces crucial patches aimed at ensuring secure functionality.
A minor version update (from 1.4.2 to 1.6) is now available for Red Hat Integration Camel K that includes bug fixes and enhancements

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat Camel K that includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei. (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba. (CVE-2021-39149)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: vulnerable to an arbitrary code execution attack (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing. (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei. (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
* spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application (CVE-2021-22118)
* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-31812)
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
* xstream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)
* json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)
* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
* mongodb-driver: mongo-java-driver: client-side field level encryption not verifying KMS host name (CVE-2021-20328)
* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory security issue bug fix moderate severity release update Red Hat Integration Camel K

References

https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2020-14326 https://access.redhat.com/security/cve/CVE-2020-28491 https://access.redhat.com/security/cve/CVE-2021-20328 https://access.redhat.com/security/cve/CVE-2021-21341 https://access.redhat.com/security/cve/CVE-2021-21342 https://access.redhat.com/security/cve/CVE-2021-21343 https://access.redhat.com/security/cve/CVE-2021-21344 https://access.redhat.com/security/cve/CVE-2021-21345 https://access.redhat.com/security/cve/CVE-2021-21346 https://access.redhat.com/security/cve/CVE-2021-21347 https://access.redhat.com/security/cve/CVE-2021-21348 https://access.redhat.com/security/cve/CVE-2021-21350 https://access.redhat.com/security/cve/CVE-2021-21351 https://access.redhat.com/security/cve/CVE-2021-22118 https://access.redhat.com/security/cve/CVE-2021-27568 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-31812 https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 Read the Full Advisory

Package List


Advisory ID: RHSA-2021:4918-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4918
Issue date: 2021-12-02
Cross references: RHBA-2021:79512-01

Topic

A minor version update (from 1.4.2 to 1.6) is now available for Red HatIntegration Camel K that includes bug fixes and enhancements. The purposeof this text-only errata is to inform you about the security issues fixedin this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security issue bug fix moderate severity release update Red Hat Integration Camel K

Relevant Releases Architectures

Bugs Fixed

1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS

1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception

1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name

1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates

1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure

1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream

1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream

1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream

1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet

1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry

1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue

1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator

1942633 - CVE-2021-21348 XStream: ReDoS vulnerability

1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here