RedHat: RHSA-2021-5191:02 Moderate: Red Hat 3scale API Management 2...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat 3scale API Management 2.11.1 Release - Container Images
Advisory ID:       RHSA-2021:5191-01
Product:           3scale API Management
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:5191
Issue date:        2021-12-16
CVE Names:         CVE-2020-26247 CVE-2020-36385 CVE-2021-0512 
                   CVE-2021-3656 CVE-2021-3733 CVE-2021-22946 
                   CVE-2021-22947 CVE-2021-33928 CVE-2021-33929 
                   CVE-2021-33930 CVE-2021-33938 
=====================================================================

1. Summary:

Red Hat 3scale API Management 2.11.1 Release - Container Images

A security update for Red Hat 3scale API Management is now available from
the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability
listed as CVE link(s) in the References section.

2. Description:

Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.

This advisory is intended to use with Container Images, for Red Hat 3scale
API Management 2.11.1.

Security Fix(es):

* rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema
(CVE-2020-26247)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1912487 - CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema

5. JIRA issues fixed (https://issues.jboss.org/):

THREESCALE-6868 - [3scale][2.11][LO-prio] Improve select default Application plan
THREESCALE-6879 - [3scale][2.11][HI-prio] Add 'Create new Application' flow to Product > Applications index
THREESCALE-7030 - Address scalability in 'Create new Application' form
THREESCALE-7203 - Fix Zync resync command in 5.6.9. Creating equivalent Zync routes
THREESCALE-7475 - Some api calls result in "Destroying user session"
THREESCALE-7488 - Ability to add external Lua dependencies for custom policies
THREESCALE-7573 - Enable proxy environment variables via the APICAST CRD
THREESCALE-7605 - type change of "policies_config" in /admin/api/services/{service_id}/proxy.json
THREESCALE-7633 - Signup form in developer portal is disabled for users authenticted via external SSO
THREESCALE-7644 - Metrics: Service for 3scale operator is missing
THREESCALE-7646 - Cleanup/refactor Products and Backends index logic
THREESCALE-7648 - Remove "#context-menu" from the url 
THREESCALE-7704 - Images based on RHEL 7 should contain at least ca-certificates-2021.2.50-72.el7_9.noarch.rpm
THREESCALE-7731 - Reenable operator metrics service for apicast-operator
THREESCALE-7761 - 3scale Operator doesn't respect *_proxy env vars
THREESCALE-7765 - Remove MessageBus from System
THREESCALE-7834 - admin can't create application when developer is not allowed to pick a plan
THREESCALE-7863 - Update some Obsolete API's in 3scale_v2.js
THREESCALE-7884 - Service top application endpoint is not working properly
THREESCALE-7912 - ServiceMonitor created by monitoring showing HTTP 400 error
THREESCALE-7913 - ServiceMonitor for 3scale operator has wide selector

6. References:

https://access.redhat.com/security/cve/CVE-2020-26247
https://access.redhat.com/security/cve/CVE-2020-36385
https://access.redhat.com/security/cve/CVE-2021-0512
https://access.redhat.com/security/cve/CVE-2021-3656
https://access.redhat.com/security/cve/CVE-2021-3733
https://access.redhat.com/security/cve/CVE-2021-22946
https://access.redhat.com/security/cve/CVE-2021-22947
https://access.redhat.com/security/cve/CVE-2021-33928
https://access.redhat.com/security/cve/CVE-2021-33929
https://access.redhat.com/security/cve/CVE-2021-33930
https://access.redhat.com/security/cve/CVE-2021-33938
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYbuXa9zjgjWX9erEAQhd9Q//SJfXxXPd+XV62WY6XMuzYpkSq0yoDhyj
pwNuCSIj9Ck1hF+Us/bbkFuzrvjBBhThUnLDQtKchYvFWW+cXJCqPB8ZxIb1j2O6
RjSp6AwRJY19YKnykd0TdF7fMZYvEX2KaZDfYMIVJ6KKS/E7XvvJHdoVxCSFc5/q
aZYfVafzxRF5EgaPTD5Lnwke5omsSYvyOhzR5oSTs0UZHq/3V7q/7SofhTRMBA3y
V8S/yrEdVUfmDeQMi4NXMbUg3/EdqpnBvP7Vp9eLvFYHcYrM1xbxZg+OVnBhCX72
Ps8uzfCd4/G1nbhGeh5PtSHeTbm0yTw9/ugSWdoaYkGG1vXVQFdt1oz+uuhUu0fy
w+Ng3ef+4JYoJxWcLp7X7eFm1MmRDSntRib/zGB3TWq9LoASFf//tjSIEag80nk3
26Mmu43nP3FEJvdUmtIbDVXmuTjZLCY15VAHCaDWkLZpkfAX2FaldErBPiRciUfX
v+d/Y59luKUahGwxMqZ6KzofSnouUZncIy6xxb5d4LDHPwGPdwkHmgQXy/zsAz8P
5/AN8C54TcFErMe2MDm+EC2l2425Wgum4BqPnvBafFwe0QY8+uJdJwgLKkcJaW/U
BOOf9ahxeiTcn2pgsFCEVUGT+c5GRWGgHZ6HEXBIsxbi4m/4U86qp4u3ZPAORvfe
BW3AwasqEYc=
=QOAK
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-5191:02 Moderate: Red Hat 3scale API Management 2.11.1

Red Hat 3scale API Management 2.11.1 Release - Container Images A security update for Red Hat 3scale API Management is now available from the Red Hat Container Catalog

Summary

Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.
This advisory is intended to use with Container Images, for Red Hat 3scale API Management 2.11.1.
Security Fix(es):
* rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema (CVE-2020-26247)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

References

https://access.redhat.com/security/cve/CVE-2020-26247 https://access.redhat.com/security/cve/CVE-2020-36385 https://access.redhat.com/security/cve/CVE-2021-0512 https://access.redhat.com/security/cve/CVE-2021-3656 https://access.redhat.com/security/cve/CVE-2021-3733 https://access.redhat.com/security/cve/CVE-2021-22946 https://access.redhat.com/security/cve/CVE-2021-22947 https://access.redhat.com/security/cve/CVE-2021-33928 https://access.redhat.com/security/cve/CVE-2021-33929 https://access.redhat.com/security/cve/CVE-2021-33930 https://access.redhat.com/security/cve/CVE-2021-33938 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

Package List

Severity
Advisory ID: RHSA-2021:5191-01
Product: 3scale API Management
Advisory URL: https://access.redhat.com/errata/RHSA-2021:5191
Issued Date: : 2021-12-16
CVE Names: CVE-2020-26247 CVE-2020-36385 CVE-2021-0512 CVE-2021-3656 CVE-2021-3733 CVE-2021-22946 CVE-2021-22947 CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938

Topic

Red Hat 3scale API Management 2.11.1 Release - Container ImagesA security update for Red Hat 3scale API Management is now available fromthe Red Hat Container Catalog.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerabilitylisted as CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1912487 - CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema

5. JIRA issues fixed (https://issues.jboss.org/):

THREESCALE-6868 - [3scale][2.11][LO-prio] Improve select default Application plan

THREESCALE-6879 - [3scale][2.11][HI-prio] Add 'Create new Application' flow to Product > Applications index

THREESCALE-7030 - Address scalability in 'Create new Application' form

THREESCALE-7203 - Fix Zync resync command in 5.6.9. Creating equivalent Zync routes

THREESCALE-7475 - Some api calls result in "Destroying user session"

THREESCALE-7488 - Ability to add external Lua dependencies for custom policies

THREESCALE-7573 - Enable proxy environment variables via the APICAST CRD

THREESCALE-7605 - type change of "policies_config" in /admin/api/services/{service_id}/proxy.json

THREESCALE-7633 - Signup form in developer portal is disabled for users authenticted via external SSO

THREESCALE-7644 - Metrics: Service for 3scale operator is missing

THREESCALE-7646 - Cleanup/refactor Products and Backends index logic

THREESCALE-7648 - Remove "#context-menu" from the url

THREESCALE-7704 - Images based on RHEL 7 should contain at least ca-certificates-2021.2.50-72.el7_9.noarch.rpm

THREESCALE-7731 - Reenable operator metrics service for apicast-operator

THREESCALE-7761 - 3scale Operator doesn't respect *_proxy env vars

THREESCALE-7765 - Remove MessageBus from System

THREESCALE-7834 - admin can't create application when developer is not allowed to pick a plan

THREESCALE-7863 - Update some Obsolete API's in 3scale_v2.js

THREESCALE-7884 - Service top application endpoint is not working properly

THREESCALE-7912 - ServiceMonitor created by monitoring showing HTTP 400 error

THREESCALE-7913 - ServiceMonitor for 3scale operator has wide selector

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.