-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel-K 1.8 security update
Advisory ID:       RHSA-2022:6407-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6407
Issue date:        2022-09-09
CVE Names:         CVE-2020-9492 CVE-2020-27223 CVE-2020-36518 
                   CVE-2021-2471 CVE-2021-3520 CVE-2021-3629 
                   CVE-2021-20289 CVE-2021-22132 CVE-2021-22137 
                   CVE-2021-28163 CVE-2021-28164 CVE-2021-28165 
                   CVE-2021-37714 CVE-2021-38153 CVE-2021-40690 
====================================================================
1. Summary:

A minor version update is now available for Red Hat Integration Camel K.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

A minor version update is now available for Red Hat Camel K that includes
CVE fixes in the base images, which are documented in the Release Notes
document linked in the References section.

Security Fix(es):

* hadoop: WebHDFS client might send SPNEGO authorization header
(CVE-2020-9492)

* jetty: request containing multiple Accept headers with a large number of
"quality" parameters may lead to DoS (CVE-2020-27223)

* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* lz4: memory corruption due to an integer overflow bug caused by memmove
argument (CVE-2021-3520)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* elasticsearch: executing async search improperly stores HTTP headersleading to information disclosure (CVE-2021-22132)

* jetty: Symlink directory exposes webapp directory contents
(CVE-2021-28163)

* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

* jetty: Resource exhaustion when receiving an invalid large TLS frame
(CVE-2021-28165)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)

* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
(CVE-2021-38153)

* xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)

* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* elasticsearch: Document disclosure flaw when Document or Field Level
Security is used (CVE-2021-22137)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

5. References:

https://access.redhat.com/security/cve/CVE-2020-9492
https://access.redhat.com/security/cve/CVE-2020-27223
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-22132
https://access.redhat.com/security/cve/CVE-2021-22137
https://access.redhat.com/security/cve/CVE-2021-28163
https://access.redhat.com/security/cve/CVE-2021-28164
https://access.redhat.com/security/cve/CVE-2021-28165
https://access.redhat.com/security/cve/CVE-2021-37714
https://access.redhat.com/security/cve/CVE-2021-38153
https://access.redhat.com/security/cve/CVE-2021-40690
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q3
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxs70NzjgjWX9erEAQjJwA//SOV45S61jVwW0rWlStVD30gzBi4G/Smq
hg/CV6OSMKd+SL5jivW1PPh1T6D30LEWCP4GnLSpDCx36MWGV8QOEL1e2PXAXJK3
vQJbqAHjqIIERY41KJrCBZQ+jUQx1mlev6JRfOP+xvK9lCuwtk/FfhciDEBzbrJA
OG6TLpSxHd8a9sqX0uT8WfXLAiJcU5ZShG87a6ZWfK/b7zvw54TD+V2VX8ob1CKB
UCQZV2z7uzCopDqsfb1br3CMLj28WLCgyWdXM12SX+NPI0YZ+a9+zwAUnnT/Pumg
Qy70O9l7Kr0/RcAiZYk05HG/EBq+dUg2KUkHCOZ+JtiC0wBwYXSLiJI2BQWQj2Zq
NbQ8NQMVWBVslvOtP9CDQSthYjGDHZdyqBSXBFdmrevxbjcg+w8UrF6dMM67fbNs
GPd5y9KgySeoWTmMdkfnBOrsiFXHkWcWvErKX3xn0DniLVFYlesIA5omETvLWzPc
F/KJgb5nj/ObigbfLZo/kAd8zPX3atSatl6CZOejqly6irhTIfIMywkaNjJXU87p
2MuaIyyZyMIvTOaPDhPoE/nGTj8B0fBoOLxFmDirNLcsJXOKLFgPIQnU5r/X0bb8
lcoSrbHvbLHFTf0uTmVRepInph/+JWZ+phGBY/KeoMYY7KTmR5/RUR5smqych3Y7
UtgibM+BGsU=nU0B
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6407:01 Moderate: Red Hat Integration Camel-K 1.8

A minor version update is now available for Red Hat Integration Camel K

Summary

A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section.
Security Fix(es):
* hadoop: WebHDFS client might send SPNEGO authorization header (CVE-2020-9492)
* jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS (CVE-2020-27223)
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)
* elasticsearch: executing async search improperly stores HTTP headersleading to information disclosure (CVE-2021-22132)
* jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
* jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)
* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153)
* xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)
* resteasy: Error message exposes endpoint class information (CVE-2021-20289)
* elasticsearch: Document disclosure flaw when Document or Field Level Security is used (CVE-2021-22137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-9492 https://access.redhat.com/security/cve/CVE-2020-27223 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-22132 https://access.redhat.com/security/cve/CVE-2021-22137 https://access.redhat.com/security/cve/CVE-2021-28163 https://access.redhat.com/security/cve/CVE-2021-28164 https://access.redhat.com/security/cve/CVE-2021-28165 https://access.redhat.com/security/cve/CVE-2021-37714 https://access.redhat.com/security/cve/CVE-2021-38153 https://access.redhat.com/security/cve/CVE-2021-40690 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q3 https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3

Package List


Severity
Advisory ID: RHSA-2022:6407-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6407
Issued Date: : 2022-09-09
CVE Names: CVE-2020-9492 CVE-2020-27223 CVE-2020-36518 CVE-2021-2471 CVE-2021-3520 CVE-2021-3629 CVE-2021-20289 CVE-2021-22132 CVE-2021-22137 CVE-2021-28163 CVE-2021-28164 CVE-2021-28165 CVE-2021-37714 CVE-2021-38153 CVE-2021-40690

Topic

A minor version update is now available for Red Hat Integration Camel K.The purpose of this text-only errata is to inform you about the securityissues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure

1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header

1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS

1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information

1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used

1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents

1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF

1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame

1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument

1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS

1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck

2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients

2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure

2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved