-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Data Grid 8.3.0 security update
Advisory ID:       RHSA-2022:0520-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0520
Issue date:        2022-02-14
CVE Names:         CVE-2021-3642 CVE-2021-29505 CVE-2021-37136 
                   CVE-2021-37137 CVE-2021-39139 CVE-2021-39140 
                   CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 
                   CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 
                   CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 
                   CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 
                   CVE-2021-43797 
====================================================================
1. Summary:

An update for Red Hat Data Grid is now available.
 
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution.
It increases application response times and allows for dramatically
improving performance while providing availability, reliability, and
elastic scale.
 
Data Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and
enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3].

Security Fix(es):

* XStream: remote command execution attack by manipulating the processed
input stream (CVE-2021-29505)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba.* (CVE-2021-39149)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

To install this update, do the following:
 
1. Download the Data Grid 8.3.0 Server patch from the customer portal[²].
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 8.3.0 Server patch.
4. Restart Data Grid to ensure the changes take effect.

For more information about Data Grid 8.3.0, refer to the 8.3.0 Release
Notes[³]

4. Bugs fixed (https://bugzilla.redhat.com/):

1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling

5. References:

https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-29505
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-39139
https://access.redhat.com/security/cve/CVE-2021-39140
https://access.redhat.com/security/cve/CVE-2021-39141
https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2021-39145
https://access.redhat.com/security/cve/CVE-2021-39146
https://access.redhat.com/security/cve/CVE-2021-39147
https://access.redhat.com/security/cve/CVE-2021-39148
https://access.redhat.com/security/cve/CVE-2021-39149
https://access.redhat.com/security/cve/CVE-2021-39150
https://access.redhat.com/security/cve/CVE-2021-39151
https://access.redhat.com/security/cve/CVE-2021-39152
https://access.redhat.com/security/cve/CVE-2021-39153
https://access.redhat.com/security/cve/CVE-2021-39154
https://access.redhat.com/security/cve/CVE-2021-43797
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.3
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYgqC8NzjgjWX9erEAQjxrhAAlRLvbYFtNVJ58rcPJPTCOB+6LC1nm5CN
GyW70yJwRtNBEgwtsxMH8aEOcIFTdk8dG/FJ+VO86k0OntdPGd64fXRS05fExa9z
qvenykKf+4WteUFmjUoAv5Kf7S6H/+oY8+IrFvTkuC3MWhMDff5Yfi3sXit/kXrP
v5mtRMJxh4ZMBE8a7XscoJ7ZgzW312QCnc14b4XOSPvj6tMpnrWRl8LW6U3B1NtK
2KQrsvwpSIRH3o2+LHc6jdnBqaAv0/+sS2oAkHOcqVSx0wRG5sd7zI9cZt79HpRA
rbowWhKfCdT9S781zs09hFybHoka2UxHfwyQPW2VzVAVn/+Wf1pXmOrXY225aMFL
rKYbXEKGO9KGaJPH0x4vB5Xg8vJ1PHx+K6371Ap577M+u1Hhh4JSU2ic5z/s7NEJ
68wgiameFdh45WIj+jihVHSIfJ4T+8Z0zitdqjH4HfpNPSokeVogZn8EVBP9bI4E
lxw3ei0mP1bJumHZnE2RgB4EjTFKgc0xeChtYXmwaVffDP06nR7UFpzRYi04RK1Y
Jm/6R0SLxpF8zJcFr/DaWUloqlKKnxlQ4uOJXq8UeKve17/E7R19WquILIuNcXe1
ARTfBuHN5PXfa4my2BnvY4eNp/RJqLQyX3GXF73XruFQeLDQwnvFphjeowMNar8o
3q4Xl2OmVZc=AD50
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0520:01 Moderate: Red Hat Data Grid 8.3.0 security update

An update for Red Hat Data Grid is now available

Summary

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3].
Security Fix(es):
* XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

To install this update, do the following:
1. Download the Data Grid 8.3.0 Server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 8.3.0 Server patch. 4. Restart Data Grid to ensure the changes take effect.
For more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[³]

References

https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 https://access.redhat.com/security/cve/CVE-2021-39146 https://access.redhat.com/security/cve/CVE-2021-39147 https://access.redhat.com/security/cve/CVE-2021-39148 https://access.redhat.com/security/cve/CVE-2021-39149 https://access.redhat.com/security/cve/CVE-2021-39150 https://access.redhat.com/security/cve/CVE-2021-39151 https://access.redhat.com/security/cve/CVE-2021-39152 https://access.redhat.com/security/cve/CVE-2021-39153 https://access.redhat.com/security/cve/CVE-2021-39154 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/

Package List


Severity
Advisory ID: RHSA-2022:0520-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0520
Issued Date: : 2022-02-14
CVE Names: CVE-2021-3642 CVE-2021-29505 CVE-2021-37136 CVE-2021-37137 CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 CVE-2021-43797

Topic

An update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream

1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl

1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler

1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*

1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*

1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration

1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration

1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator

1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*

1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*

1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration

1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData

1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl

1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling


Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved