RedHat: RHSA-2022-0520:01 Moderate: Red Hat Data Grid 8.3.0 security update
Summary
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution.
It increases application response times and allows for dramatically
improving performance while providing availability, reliability, and
elastic scale.
Data Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and
enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3].
Security Fix(es):
* XStream: remote command execution attack by manipulating the processed
input stream (CVE-2021-29505)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba.* (CVE-2021-39149)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
To install this update, do the following:
1. Download the Data Grid 8.3.0 Server patch from the customer portal[²].
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 8.3.0 Server patch.
4. Restart Data Grid to ensure the changes take effect.
For more information about Data Grid 8.3.0, refer to the 8.3.0 Release
Notes[³]
References
https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 https://access.redhat.com/security/cve/CVE-2021-39146 https://access.redhat.com/security/cve/CVE-2021-39147 https://access.redhat.com/security/cve/CVE-2021-39148 https://access.redhat.com/security/cve/CVE-2021-39149 https://access.redhat.com/security/cve/CVE-2021-39150 https://access.redhat.com/security/cve/CVE-2021-39151 https://access.redhat.com/security/cve/CVE-2021-39152 https://access.redhat.com/security/cve/CVE-2021-39153 https://access.redhat.com/security/cve/CVE-2021-39154 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/
Package List
Topic
An update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling