RedHat: RHSA-2022-6407:01 Moderate: Red Hat Integration Camel-K 1.8
Summary
A minor version update is now available for Red Hat Camel K that includes
CVE fixes in the base images, which are documented in the Release Notes
document linked in the References section.
Security Fix(es):
* hadoop: WebHDFS client might send SPNEGO authorization header
(CVE-2020-9492)
* jetty: request containing multiple Accept headers with a large number of
"quality" parameters may lead to DoS (CVE-2020-27223)
* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)
* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
* lz4: memory corruption due to an integer overflow bug caused by memmove
argument (CVE-2021-3520)
* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)
* elasticsearch: executing async search improperly stores HTTP headersleading to information disclosure (CVE-2021-22132)
* jetty: Symlink directory exposes webapp directory contents
(CVE-2021-28163)
* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
* jetty: Resource exhaustion when receiving an invalid large TLS frame
(CVE-2021-28165)
* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)
* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
(CVE-2021-38153)
* xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)
* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)
* elasticsearch: Document disclosure flaw when Document or Field Level
Security is used (CVE-2021-22137)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2020-9492 https://access.redhat.com/security/cve/CVE-2020-27223 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-22132 https://access.redhat.com/security/cve/CVE-2021-22137 https://access.redhat.com/security/cve/CVE-2021-28163 https://access.redhat.com/security/cve/CVE-2021-28164 https://access.redhat.com/security/cve/CVE-2021-28165 https://access.redhat.com/security/cve/CVE-2021-37714 https://access.redhat.com/security/cve/CVE-2021-38153 https://access.redhat.com/security/cve/CVE-2021-40690 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q3 https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3
Package List
Topic
A minor version update is now available for Red Hat Integration Camel K.The purpose of this text-only errata is to inform you about the securityissues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects