RedHat: RHSA-2022-1013:01 Moderate: Red Hat Integration Camel Extensions
Summary
Red Hat Integration - Camel Extensions for Quarkus 2.2.1 serves as a
replacement for 2.2 and includes the following security Fix(es):
Security Fix(es):
* cron-utils: template Injection leading to unauthenticated Remote Code
Execution (CVE-2021-41269)
* maven: Block repositories using http by default (CVE-2021-26291)
* bouncycastle: Timing issue within the EC math library (CVE-2020-15522)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* kubernetes-client: Insecure deserialization in unmarshalYaml method
(CVE-2021-4178)
* protobuf-java: potential DoS in the parsing procedure for binary data
(CVE-2021-22569)
* jersey: Local information disclosure via system temporary directory
(CVE-2021-28168)
* jakarta-el: ELParserTokenManager enables invalid EL expressions to be
evaluate (CVE-2021-28170)
* mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
(CVE-2021-30129)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-15522 https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-26291 https://access.redhat.com/security/cve/CVE-2021-28168 https://access.redhat.com/security/cve/CVE-2021-28170 https://access.redhat.com/security/cve/CVE-2021-30129 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-40690 https://access.redhat.com/security/cve/CVE-2021-41269 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q2 https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q2
Package List
Topic
A security update to Red Hat Integration Camel Extensions for Quarkus 2.2is now available. The purpose of this text-only errata is to inform youabout the security issues fixed.Red Hat Product Security has rated this update as having an impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1953024 - CVE-2021-28168 jersey: Local information disclosure via system temporary directory
1955739 - CVE-2021-26291 maven: Block repositories using http by default
1962879 - CVE-2020-15522 bouncycastle: Timing issue within the EC math library
1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution
2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
2039403 - CVE-2021-42392 h2: Remote Code Execution in Console
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data