-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel Extensions for Quarkus 2.2.1 security update
Advisory ID:       RHSA-2022:1013-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1013
Issue date:        2022-03-22
CVE Names:         CVE-2020-8908 CVE-2020-15522 CVE-2021-2471 
                   CVE-2021-4178 CVE-2021-22569 CVE-2021-26291 
                   CVE-2021-28168 CVE-2021-28170 CVE-2021-30129 
                   CVE-2021-37136 CVE-2021-37137 CVE-2021-40690 
                   CVE-2021-41269 CVE-2021-42392 
====================================================================
1. Summary:

A security update to Red Hat Integration Camel Extensions for Quarkus 2.2
is now available. The purpose of this text-only errata is to inform you
about the security issues fixed.

Red Hat Product Security has rated this update as having an impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Integration - Camel Extensions for Quarkus 2.2.1 serves as a
replacement for 2.2 and includes the following security Fix(es):

Security Fix(es):

* cron-utils: template Injection leading to unauthenticated Remote Code
Execution (CVE-2021-41269)

* maven: Block repositories using http by default (CVE-2021-26291)

* bouncycastle: Timing issue within the EC math library (CVE-2020-15522)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* kubernetes-client: Insecure deserialization in unmarshalYaml method
(CVE-2021-4178)

* protobuf-java: potential DoS in the parsing procedure for binary data
(CVE-2021-22569)

* jersey: Local information disclosure via system temporary directory
(CVE-2021-28168)

* jakarta-el: ELParserTokenManager enables invalid EL expressions to be
evaluate (CVE-2021-28170)

* mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
(CVE-2021-30129)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)

* h2: Remote Code Execution in Console (CVE-2021-42392)

* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1953024 - CVE-2021-28168 jersey: Local information disclosure via system temporary directory
1955739 - CVE-2021-26291 maven: Block repositories using http by default
1962879 - CVE-2020-15522 bouncycastle: Timing issue within the EC math library
1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution
2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
2039403 - CVE-2021-42392 h2: Remote Code Execution in Console
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data

5. References:

https://access.redhat.com/security/cve/CVE-2020-8908
https://access.redhat.com/security/cve/CVE-2020-15522
https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-4178
https://access.redhat.com/security/cve/CVE-2021-22569
https://access.redhat.com/security/cve/CVE-2021-26291
https://access.redhat.com/security/cve/CVE-2021-28168
https://access.redhat.com/security/cve/CVE-2021-28170
https://access.redhat.com/security/cve/CVE-2021-30129
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2021-40690
https://access.redhat.com/security/cve/CVE-2021-41269
https://access.redhat.com/security/cve/CVE-2021-42392
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q2
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q2

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYjo/xNzjgjWX9erEAQiYmw//eZoz1n10qXWkDZC56hNFD0KoHC8dw/hT
yqUEnK0evdK7M0mYDxdVfEkVCEIH587nIWxtJboSftCIeTYkdTTej8gyCvvfv4Jf
JWjbLyvgLA5GUzsnWHLzd3wzuYJvL5aRAzmyYeG4ki08xjqki8qTGVheEQRph+ND
dJzZrZAlklCavZfEq0X4Vgny816pcPcr0Gv6yUfMEtzGlRhFxdb4JVmLoz9RvuNG
qOYSwd6Z9rR1XAjdoxaZsJj9/30Zp5OmpP3/2GyxQoenKAwzw4lZkQpDmsKnzgL/
fVeAU1HBDp8mUKw06GFnGr/vrhOMTbsOzCnr1iatzIQRmT9Cqbjy8czSXbkoLEn4
QiCFQuNK5H664fiJ18L48motc8+pcy/tQH7f7QOGmsx+KdYGjGHd8k7etlKWKuyI
u47JZ/wDCeanvEBTg4kZrzWZgZcVPXTC0kpsIerXap+NRHDR4XhlLj7OYjnIifVU
cQ6S2qZ3RdQWiqF/fLs55EHT04nf7ew436QcuqO7zWrOtOX/KU2SrYJ5x93CgIrA
wbA6PirYDm21rzMoN+zRiAs3hkrKwkNKLyUgV7tL9bIKOoMTme+EnsSI+KPal2j8
gNqeqN9tshVy19e9NX1pUaZsnVkf+gdfOb5SMuCWZAZEg+n2cb3QSTU8fCd1ob0p
MlDo83beSGY=EXhy
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-1013:01 Moderate: Red Hat Integration Camel Extensions

A security update to Red Hat Integration Camel Extensions for Quarkus 2.2 is now available

Summary

Red Hat Integration - Camel Extensions for Quarkus 2.2.1 serves as a replacement for 2.2 and includes the following security Fix(es):
Security Fix(es):
* cron-utils: template Injection leading to unauthenticated Remote Code Execution (CVE-2021-41269)
* maven: Block repositories using http by default (CVE-2021-26291)
* bouncycastle: Timing issue within the EC math library (CVE-2020-15522)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178)
* protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569)
* jersey: Local information disclosure via system temporary directory (CVE-2021-28168)
* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)
* mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-15522 https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-26291 https://access.redhat.com/security/cve/CVE-2021-28168 https://access.redhat.com/security/cve/CVE-2021-28170 https://access.redhat.com/security/cve/CVE-2021-30129 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-40690 https://access.redhat.com/security/cve/CVE-2021-41269 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q2 https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q2

Package List


Severity
Advisory ID: RHSA-2022:1013-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1013
Issued Date: : 2022-03-22
CVE Names: CVE-2020-8908 CVE-2020-15522 CVE-2021-2471 CVE-2021-4178 CVE-2021-22569 CVE-2021-26291 CVE-2021-28168 CVE-2021-28170 CVE-2021-30129 CVE-2021-37136 CVE-2021-37137 CVE-2021-40690 CVE-2021-41269 CVE-2021-42392

Topic

A security update to Red Hat Integration Camel Extensions for Quarkus 2.2is now available. The purpose of this text-only errata is to inform youabout the security issues fixed.Red Hat Product Security has rated this update as having an impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions

1953024 - CVE-2021-28168 jersey: Local information disclosure via system temporary directory

1955739 - CVE-2021-26291 maven: Block repositories using http by default

1962879 - CVE-2020-15522 bouncycastle: Timing issue within the EC math library

1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate

1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure

2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical

2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution

2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method

2039403 - CVE-2021-42392 h2: Remote Code Execution in Console

2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved