Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Red Hat OpenShift: RHSA-2022-1179-01 Important: Spring Boot DoS Fix

red hat
Calendar Grey April 12, 2022
Dist Redhat Esm H88
A critical notice regarding Red Hat OpenShift Application Runtimes to address security flaws identified in Spring Boot version 2.5.10. Users are advised to implement this update promptly.
An update is now available for Red Hat OpenShift Application Runtimes

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

The References section of this erratum contains a download link for the update. You must be logged in to download the update.

Summary

Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.5.10 serves as a replacement for Red Hat support for Spring Boot 2.4.9, and includes bug fixes and enhancements. For more information, see the release notes listed in the References section.
Security Fix(es):
* undertow: client side invocation timeout raised when calling over HTTP2 (CVE-2021-3859)
* tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine (CVE-2021-41079)
* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)
* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)
* undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)
* resteasy: Error message exposes endpoint class information (CVE-2021-20289)
* tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

https://access.redhat.com/security/cve/CVE-2021-3597 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-41079 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.5.10 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2022:1179-01
Product: Red Hat OpenShift Application Runtimes
Issue date: 2022-04-12

Topic

An update is now available for Red Hat OpenShift Application Runtimes.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for eachvulnerability. For more information, see the CVE links in the Referencessection.

Relevant Releases Architectures

Bugs Fixed

1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information

1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS

1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS

1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy

1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness

2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine

2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2

2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here