-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Quarkus 2.2.5 release and security update
Advisory ID:       RHSA-2022:0589-01
Product:           Red Hat build of Quarkus
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0589
Issue date:        2022-02-21
CVE Names:         CVE-2021-2471 CVE-2021-4178 CVE-2021-28170 
                   CVE-2021-37136 CVE-2021-37137 CVE-2021-37714 
                   CVE-2021-38153 CVE-2021-41269 
====================================================================
1. Summary:

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability. For
more information, see the CVE links in the References section.

2. Description:

This release of Red Hat build of Quarkus 2.2.5 includes security updates,
bug fixes, and enhancements. For more information, see the release notes
page listed in the References section.

Security Fix(es):

* kafka-clients: Kafka: Timing Attack Vulnerability for Apache Kafka
Connect and Clients (CVE-2021-38153)

* kubernetes-client: Insecure deserialization in unmarshalYaml method
(CVE-2021-4178)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)

* jakarta.el: jakarta-el: ELParserTokenManager enables invalid EL
expressions to be evaluate (CVE-2021-28170)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* cron-utils: template Injection leading to unauthenticated Remote Code
Execution(CVE-2021-41269)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution
2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method

5. References:

https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-4178
https://access.redhat.com/security/cve/CVE-2021-28170
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-37714
https://access.redhat.com/security/cve/CVE-2021-38153
https://access.redhat.com/security/cve/CVE-2021-41269
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.2.5
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.2/
https://access.redhat.com/articles/4966181

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYhQOfNzjgjWX9erEAQjzdA//ddK6hPPLHj5/ubtY1ZS19bIEy5ZcgL45
hY7P1HWdqs+UDXnSMLlgXoDMc+qJNmJ9EkEzY4xNkpqc3WMjVgBsZ6t1wjVhIFxt
dKV1Vj3wwyQJhbbbcxLPhfeJW33hVYNcOWPqlbX4+qnc11slQVIsH2RN0qltP0OA
5LyNjj39lobMoSWxn4T65iexONA6edYcDWrQQrMSLw/xa/w+xMEOL1Dg+LYsJtFp
XPAovAstep1haAAtv6fqTOdmMAZpFVgrzsi/GhrLRS23Q5O3HvTZIWgl+wDVghH1
WuniWLADJ4//X7fibrSq0QCLDpSQ0xc+RInrKfc6gczw1wNbgUoO2ITrzvjeHTx2
7udXXpXlif6uaKPGdDVqfu/LO8GO0q24nQcWav8gI2hksq5QDz6c3PjclJBECGGI
c4jtGAdENlAlK0p7yOgdoByq4VSYt26tMIKQLsvgVUSEEP/xi65FJDl4pEJNNmqM
i2OlMntKYWjEPuX513CWE3A/ZZzteHmksfP/VgPnJ+vh3JMHjvfpGsnCu9WZI2j4
00DQsIOcUZ43DnldJY6pYrkN04JgXjYkyTAH3+vJac4ylU7HqyzyqhucVRQWqp4o
xREFsOy4oxpGyxCpywZCpoZRlGemLCtOh5KTCRKzRrNYZf2dmSo/MIYhPF02dySH
gtC/1OCBcZs=l9VG
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-0589:01 Moderate: Red Hat build of Quarkus 2.2.5 release

An update is now available for Red Hat build of Quarkus

Summary

This release of Red Hat build of Quarkus 2.2.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* kafka-clients: Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153)
* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)
* jakarta.el: jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* cron-utils: template Injection leading to unauthenticated Remote Code Execution(CVE-2021-41269)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update.

References

https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-28170 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-37714 https://access.redhat.com/security/cve/CVE-2021-38153 https://access.redhat.com/security/cve/CVE-2021-41269 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.2.5 https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.2/ https://access.redhat.com/articles/4966181

Package List


Severity
Advisory ID: RHSA-2022:0589-01
Product: Red Hat build of Quarkus
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0589
Issued Date: : 2022-02-21
CVE Names: CVE-2021-2471 CVE-2021-4178 CVE-2021-28170 CVE-2021-37136 CVE-2021-37137 CVE-2021-37714 CVE-2021-38153 CVE-2021-41269

Topic

An update is now available for Red Hat build of Quarkus.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability. Formore information, see the CVE links in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate

1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients

2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical

2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution

2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method


Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved