RedHat: RHSA-2022-1179:01 Important: Red Hat support for Spring Boot 2.5.10
Summary
Red Hat support for Spring Boot provides an application platform that
reduces the complexity of developing and operating applications (monoliths
and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.5.10 serves as a
replacement for Red Hat support for Spring Boot 2.4.9, and includes bug
fixes and enhancements. For more information, see the release notes listed
in the References section.
Security Fix(es):
* undertow: client side invocation timeout raised when calling over HTTP2
(CVE-2021-3859)
* tomcat: Infinite loop while reading an unexpected TLS packet when using
OpenSSL JSSE engine (CVE-2021-41079)
* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)
* undertow: HTTP2SourceChannel fails to write final frame under some
circumstances may lead to DoS (CVE-2021-3597)
* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)
* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)
* tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link for the
update. You must be logged in to download the update.
References
https://access.redhat.com/security/cve/CVE-2021-3597 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-41079 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.5.10 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index
Package List
Topic
An update is now available for Red Hat OpenShift Application Runtimes.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for eachvulnerability. For more information, see the CVE links in the Referencessection.
Topic
Relevant Releases Architectures
Bugs Fixed
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS