-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat support for Spring Boot 2.5.10 update
Advisory ID:       RHSA-2022:1179-01
Product:           Red Hat OpenShift Application Runtimes
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1179
Issue date:        2022-04-12
CVE Names:         CVE-2021-3597 CVE-2021-3629 CVE-2021-3642 
                   CVE-2021-3859 CVE-2021-20289 CVE-2021-30640 
                   CVE-2021-33037 CVE-2021-41079 CVE-2021-42340 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat support for Spring Boot provides an application platform that
reduces the complexity of developing and operating applications (monoliths
and microservices) for OpenShift as a containerized platform.

This release of Red Hat support for Spring Boot 2.5.10 serves as a
replacement for Red Hat support for Spring Boot 2.4.9, and includes bug
fixes and enhancements. For more information, see the release notes listed
in the References section.

Security Fix(es):

* undertow: client side invocation timeout raised when calling over HTTP2
(CVE-2021-3859)

* tomcat: Infinite loop while reading an unexpected TLS packet when using
OpenSSL JSSE engine (CVE-2021-41079)

* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)

* undertow: HTTP2SourceChannel fails to write final frame under some
circumstances may lead to DoS (CVE-2021-3597)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)

* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* tomcat: JNDI realm authentication weakness (CVE-2021-30640)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2021-3597
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3859
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-30640
https://access.redhat.com/security/cve/CVE-2021-33037
https://access.redhat.com/security/cve/CVE-2021-41079
https://access.redhat.com/security/cve/CVE-2021-42340
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.5.10
https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYlX6EdzjgjWX9erEAQg9yA/+P1/lTMOi1yV6LLfSX3BdGGK82PYJsuO5
mafisp3yqeixCcljWGYZTjGeptsYoVqDPR1KqYJ2RKJyHcFYdI0DvdrmUHODIVAN
jgmXaeM+i5HfuSX7o+qsH5ZGkuSVT/H6MCTahZo4QwyzNjT2Zmri1jV0D/LA9fW9
pQd91GVrDeVfL0YzOJkdPaaIqaF/suOcH3saCeuABJ5H0qehRBQdlvh0z4ZjZTek
g8knA+/X83ggC1DLlCj9AmHT+RTlD1VrlUgXqrygcCgA58+JK5vM12/mMIslkEL6
+iNCkgpV6nYEW/N0G2CfH9sTk8JYpoY78Yx7V2hT1AxkEPaeReyVjTYcqfV1LenU
2Beo4J1WU4+T5CUao4P/2+MLSsDJDSadfEXM1sGJayULONl61bSCB/+Z/CMA7I/P
sLLhvN4TvMQB1dAfFmj9MFSArQQnxbrzkhp5/rPqWSHTfb1d0sSFU7SpqC4HYH+z
LCcLfC4ItUd5eBLRMtcJQdnFsPqL/3UdoqHyh5CKjJgTVXs/2Q8vKVdIFihon8GB
bPl7YGZT7zyhuSDi26nC0ThjanbE0LVG7Y2MUYNEyQz3gqXU8+HJKBRpKOwihqwM
RFJnNFSPqP3eHfbOMBGQpAzdkT7iLRCuyEGUesN6IplndYdn4fepDep/rdqeGk14
lGgYrqQ7rUU=
=fUW+
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce