Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
98
security advisoryRed HatupdateRed Hat: RHSA-2023:1303-01 Important: Data Grid Arbitrary Execution
An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Data Grid 7.3.10 security update Advisory ID: RHSA-2023:1303-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2023:1303 Issue date: 2023-03-17 CVE Names: CVE-2021-39144 ==================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 7.3.10 replaces Data Grid 7.3.9 and includes security fixes. Find out more about Data Grid 7.3.10 in the Release Notes [3]. Security Fix(es): * xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* [jdg-7] (CVE-2021-39144) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.10 server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.10 server patch. Referto the 7.3.10 Release Notes[³] for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* 5. References: https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZBTYVNzjgjWX9erEAQhHthAAiqFael90Zr9oJeXz2tVOoc3arF/dAAHI rl2Mi6+LEFkkuoHVpGBXU/FbksghFQ3AVmvU/rA8LDu3XyXlVY0ZcsxnktI7cttL 74/HXf5D5WOra2f6ixm90ExTUQfFTi081Z4brLdYi9SwaKj0eRMBEX95uprkr/xS jvOZEjTyGSMBIZD8zxf602EDCQ9taWesbzpsDeWPP/R3ZF4ZCFZp3L9SLVxsYkGm RiMGait8V8EBUYlWS9Qnlk9CqxOOjKcaw7N5yv/g4ovdcEylFv9O4WKHUO9X3dXt b35Rv8IwzfNeHr80iI+kQT8TwVn52lvTd0PpmVSh+C0R2AXQiX2pWUUg1/tZ6HG7 KkhpBIhk9m9+JdZjcVAyys+SivRwzaWx7JFUFPpRAL6BV3INd2sm41nLIEDr0Wew pnlVYsiAcXi6xqSPyma8L0W+2BHKg2rFfijw0Oujyd6jrDtjjy2+U2UleiTaF21e M4SWBo6JyIG9jibwCUNgkgtkHg+h9yTfGCnprJ5+T5KlqS55aFzTehibr4dvCpfv wmUHijodtSCnNnf4ki2TS3TN6Cjis07W4LvF5wFG+9nCH+UA8uRDxUM1L3CsFxIJ L8T3yYmVOzel6hbhT5P7aV5KhuBSf3W9jsF8EPeU76X9DDB1D6ga+eiQ3H1femS+ qT3glZUiVjs=pxlM -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Mar 17, 2023
•Important
Red Hat
98
security advisorymoderatedenial of serviceRed Hat Data Grid 8.3.1 RHSA-2022:2232-01 Moderate: Denial of Service
An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Data Grid 8.3.1 security update Advisory ID: RHSA-2022:2232-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2022:2232 Issue date: 2022-05-12 CVE Names: CVE-2020-36518 CVE-2021-38153 CVE-2022-0084 ==================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.3.1 replaces Data Grid 8.3.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.3.1 in the Release Notes[3]. Security Fix(es): * jackson-databind: denial of service via a large depth of nested objects [jdg-8] (CVE-2020-36518) * kafka-clients: Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients [jdg-8] (CVE-2021-38153) * xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr [jdg-8] (CVE-2022-0084) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do thefollowing: 1. Download the Data Grid 8.3.1 Server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 8.3.1 Server patch. 4. Restart Data Grid to ensure the changes take effect. For more information about Data Grid 8.3.1, refer to the 8.3.1 Release Notes[³] 4. Bugs fixed (https://bugzilla.redhat.com/): 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 5. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-38153 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.3 https://docs.redhat.com/en/documentation/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYn0zH9zjgjWX9erEAQhZLw/+JPEE+waFwwS+b4v4/LLIwTjtFhXPqZYP WArn7i/vjG6ktOsZU397wdlik4Sv+tmPVX+aElmXLnTALJiOsm7iWjEjuT8qPhqt c2V9xN6vEQC7V1IXdwbUQwlkt3r40XbfhsGc4KKHjA8J5fWECwkByM5ofQ4j59jO lxpIPa5yRjCV8/4p7lKAXFYMeBInZtb8i4c7pYVnA9Eq+o2bRpV9P3/ES9q8xGF8 yVBC1Gt/fDZlmDznxlzUEih4HMxmW1uwQhZFHbw6jp6D0bYCn1wWrC6y7FYUmRJ6 /13BnHV27naz+xBGuSA6EB+AKmzlA85NyIimN2h63AT8VJb2IYv0vM2JMb0JRdK0 8SAE6hYmjodKxVcqANsBRiiea3vR9GTLN71zCXP8Pmk0dsI1GK29s574QuxUpKSQ YY8vXaL0K3j35IsGzmr7AvlYCQr1d3GPFaTnnj3XK+asRDMDrFvw8sCsNjLGRgHI dzZdcjpnIi3DXsp3ic1qRbZHpd9C/3o1r7hU++/nkkNNKXjGmzU+EAutaVHXxgLO XyuIIScDVb5kNrBpH5krzqU2TA31TFz0RGN5Am6vm8zc5rGyW7iMijAAreU8icgn Vt6KDpeDYuTffOBgo9WLR7kmo4xq7w94e1rDFxmGhL2OlsJI7S9gTxMhn/lONxTy IZnZKy4mPpA=6Kqs -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 12, 2022
Red Hat
98
security advisorysecurity updatearbitrary code executionRed Hat: RHSA-2022:0520-01 Moderate: Data Grid 8.3.0 Security Update
An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Data Grid 8.3.0 security update Advisory ID: RHSA-2022:0520-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2022:0520 Issue date: 2022-02-14 CVE Names: CVE-2021-3642 CVE-2021-29505 CVE-2021-37136 CVE-2021-37137 CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 CVE-2021-43797 ==================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3]. Security Fix(es): * XStream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505) * xstream: Arbitrary code execution via unsafe deserialization ofXalan xsltc.trax.TemplatesImpl (CVE-2021-39139) * xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141) * xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* (CVE-2021-39144) * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145) * xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146) * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147) * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148) * xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* (CVE-2021-39149) * xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150) * xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151) * xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152) * xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153) * xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154) * wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140) * netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797) For moredetails about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 8.3.0 Server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 8.3.0 Server patch. 4. Restart Data Grid to ensure the changes take effect. For more information about Data Grid 8.3.0, refer to the 8.3.0 Release Notes[³] 4. Bugs fixed (https://bugzilla.redhat.com/): 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl 1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler 1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.* 1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* 1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration 1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue 1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration 1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator 1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.* 1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization ofcom.sun.xml.internal.ws.client.sei.* 1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration 1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData 1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl 1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 5.References: https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-39139 https://access.redhat.com/security/cve/CVE-2021-39140 https://access.redhat.com/security/cve/CVE-2021-39141 https://access.redhat.com/security/cve/CVE-2021-39144 https://access.redhat.com/security/cve/CVE-2021-39145 https://access.redhat.com/security/cve/CVE-2021-39146 https://access.redhat.com/security/cve/CVE-2021-39147 https://access.redhat.com/security/cve/CVE-2021-39148 https://access.redhat.com/security/cve/CVE-2021-39149 https://access.redhat.com/security/cve/CVE-2021-39150 https://access.redhat.com/security/cve/CVE-2021-39151 https://access.redhat.com/security/cve/CVE-2021-39152 https://access.redhat.com/security/cve/CVE-2021-39153 https://access.redhat.com/security/cve/CVE-2021-39154 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.3 https://docs.redhat.com/en/documentation/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYgqC8NzjgjWX9erEAQjxrhAAlRLvbYFtNVJ58rcPJPTCOB+6LC1nm5CN GyW70yJwRtNBEgwtsxMH8aEOcIFTdk8dG/FJ+VO86k0OntdPGd64fXRS05fExa9z qvenykKf+4WteUFmjUoAv5Kf7S6H/+oY8+IrFvTkuC3MWhMDff5Yfi3sXit/kXrP v5mtRMJxh4ZMBE8a7XscoJ7ZgzW312QCnc14b4XOSPvj6tMpnrWRl8LW6U3B1NtK 2KQrsvwpSIRH3o2+LHc6jdnBqaAv0/+sS2oAkHOcqVSx0wRG5sd7zI9cZt79HpRA rbowWhKfCdT9S781zs09hFybHoka2UxHfwyQPW2VzVAVn/+Wf1pXmOrXY225aMFL rKYbXEKGO9KGaJPH0x4vB5Xg8vJ1PHx+K6371Ap577M+u1Hhh4JSU2ic5z/s7NEJ 68wgiameFdh45WIj+jihVHSIfJ4T+8Z0zitdqjH4HfpNPSokeVogZn8EVBP9bI4E lxw3ei0mP1bJumHZnE2RgB4EjTFKgc0xeChtYXmwaVffDP06nR7UFpzRYi04RK1Y Jm/6R0SLxpF8zJcFr/DaWUloqlKKnxlQ4uOJXq8UeKve17/E7R19WquILIuNcXe1 ARTfBuHN5PXfa4my2BnvY4eNp/RJqLQyX3GXF73XruFQeLDQwnvFphjeowMNar8o 3q4Xl2OmVZc=AD50 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 14, 2022
Red Hat
98
security advisoryred hatremote code executionRed Hat: RHSA-2022-0430-01 Important: SQL Injection and RCE
An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Data Grid 7.3.9 security update Advisory ID: RHSA-2022:0430-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2022:0430 Issue date: 2022-02-03 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3]. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other relatedinformation, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.9 server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.9 server patch. Refer to the 7.3.9 Release Notes[³] for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches https://docs.redhat.com/en/documentation/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYfwPPtzjgjWX9erEAQhuvBAAitlxo/v7tFhb7r5wcav55FubIKph5/Ig UVLzJHVDzsrK4/1b7Ab2rB6rEJfw8HFyMOQ8ZRPUFGp3tZxv75YYzPREJp+1k5ez 3YulGNpJBrdkePAiH4L5dewRmw84GQ9qD4CjuSP8pt8XwK9G+giwaJtaf1I9vHdC uccvimCFOvkVX6rhu0cYpRLvs3hyfhHD9TMVew0DgqppKCVlFez0vkxatu/tmfxo ZkJVZZ9fGzMpWdXNK0DktanA65eOPPbzdUMxFffjGACrCb9AFGbNGyVMu/f52PRW rXTsyK/jQchJeLlKspAZCfrbNPE6OeEs4Yz5wanwP4nPGP0opQ6qULBpXROzChu/ Mz/F/3TGbWN7pBLxOhMYzMftFlUnq2o0NJr3EcoGTL7o+BGTg7tmwH25uA7TUfJL 27fXk0djy2OXFlbRdH1dEHLye8nI5O1lTieas3agrELZtPcyc8+5SYsPtgN0doYD SbJU78/RylkyfRg2IBRF969C4SeoC/vPc/HNTv4dsrjYwog1xGoulqPTmyjDYBpe wA6dA8pmPbn2YvQjnPpDbRDwkqbeDPEhwalvos2/NuYA37zYZBUi9CbJEvyN55x1 peAEGcrkL1lIRjAZTnS3py3TqYD7Pv4Yy4Y7AYNcNS0xgJP4pDg4IBAkI/wm93/W DBTMZ3ose+k=d3ha -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 03, 2022
•Important
Red Hat
98
security advisoryred hatcriticalRed Hat Data Grid 8.2.2 Critical: RHSA-2021-5132 Remote Code Execution
An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Data Grid 8.2.2 security update Advisory ID: RHSA-2021:5132-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2021:5132 Issue date: 2021-12-14 CVE Names: CVE-2021-44228 ==================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.2.2 replaces Data Grid 8.2.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.2.2 in the Release Notes [3]. Security Fix(es): * log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value (CVE-2021-44228) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 8.2.2 server patch from the customer portal[²]. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid8.2.2 server patch. Refer to the 8.2.2 Release Notes[³] for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. References: https://access.redhat.com/security/cve/CVE-2021-44228 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=8.2&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html-single/red_hat_data_grid_8.2_release_notes/index https://access.redhat.com/security/vulnerabilities/RHSB-2021-009 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYblI0NzjgjWX9erEAQj7mw//TtZnFmrLI6Ts7uC19MnLA/vVPXT1i2Qz R1CZ4T7QCZkiJCNXvwYHj7iQgOm5o/seXRE38qGtJWqiyrZMGHVQnDl1Vuhm31jg 6lxhpjn0kKKZanznosCxF3U2ovLhrEx+5in4piNiyV6CKkkgBV7UvESGWlIKiumq 1r79DAQ7WdYPoOk+m+b5p/okFJXyD0FcEbrqZcgJQCmR9zyJ6DGAy4N9+cgEgGaC QoVZaXa+pUEVjiAOAg0XNcb+GyYSMFwkPUR14NI0V2OHIo97aBg9AG1HrOj3QmSG 5LR/8zWQbfSbtTIzR67gBGF8F8nvnEeBARYje97Cx2FcHGDFisLHM8OGqFNjU5+I HepIdPjwcoy3kPDSfQ9WXx7Iz03tMCbhMWUhH9MRYuUAzCHgsAryZ4AnTBa+Hn7B 7WHuVf24eFcoJysoWGsbQZDzN5oxqIRXP2mA5k7MVemHV5L+7KV15KyJWaDqTdI+ DTpw8kP/WboloegmZmaqbPLlfvl91G8LjU5yfLaa+rNHkbyT4G1c3iQm5yLWlsYW yfGf+XiZPoF5S6862qdx7YPZG0yTkaUYU0Spnr8eV9wt9uUIp57jczrBzgBKYlN0 BdNv9DgqbGvhmdz/k95gRZUpdYAvF6J4+Y4h9uXgxqfdGZjFCSlegOG8gleCnvEw dfFqyyf+3ZQ=be8O -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Dec 14, 2021
•Critical
Red Hat
98
security advisoryred hatauthentication bypassRed Hat Data Grid 8.2 Critical: RHSA-2021:2139-01 Authentication Bypass
A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Data Grid 8.2.0 security update Advisory ID: RHSA-2021:2139-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2021:2139 Issue date: 2021-05-26 CVE Names: CVE-2020-10771 CVE-2020-26258 CVE-2020-26259 CVE-2021-21290 CVE-2021-21295 CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 CVE-2021-21409 CVE-2021-31917 ==================================================================== 1. Summary: A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory data store. This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917) * XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344) * XStream: Unsafe deserizaliationof com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345) * XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346) * XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347) * XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350) * Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771) * XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258) * XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259) * netty: Information disclosure via the local system temporary directory (CVE-2021-21290) * netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295) * XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341) * XStream: SSRF via crafted input stream (CVE-2021-21342) * XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343) * XStream: ReDoS vulnerability (CVE-2021-21348) * XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349) * XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351) * netty: Request smuggling via content-length header (CVE-2021-21409) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed(https://bugzilla.redhat.com/): 1846293 - CVE-2020-10771 Infinispan: Actions with effects should not be permitted via GET requests using REST API 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1955113 - CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism 5.References: https://access.redhat.com/security/cve/CVE-2020-10771 https://access.redhat.com/security/cve/CVE-2020-26258 https://access.redhat.com/security/cve/CVE-2020-26259 https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/cve/CVE-2021-21341 https://access.redhat.com/security/cve/CVE-2021-21342 https://access.redhat.com/security/cve/CVE-2021-21343 https://access.redhat.com/security/cve/CVE-2021-21344 https://access.redhat.com/security/cve/CVE-2021-21345 https://access.redhat.com/security/cve/CVE-2021-21346 https://access.redhat.com/security/cve/CVE-2021-21347 https://access.redhat.com/security/cve/CVE-2021-21348 https://access.redhat.com/security/cve/CVE-2021-21349 https://access.redhat.com/security/cve/CVE-2021-21350 https://access.redhat.com/security/cve/CVE-2021-21351 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/cve/CVE-2021-31917 https://access.redhat.com/security/updates/classification#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2 https://docs.redhat.com/en/documentation/red_hat_data_grid/8.2/html/upgrading_data_grid/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYK7C1tzjgjWX9erEAQiWPg/9HusdDg2N/WJPUeZSoFsYXgm5XgNzleJH 5999VYyebIKZSEAkgPKZOoIAQGoZtVRdqdtGONYMMJfQbNq+5xLiR6jNjF5BSkzN cOAX1R9RtDekdeedVWR1dNf/lX9/Y2h5buNrwEoRimwva7z7lDlC6w9aNhtYgNk4 NIt5WeeNaXirq+lPi2KhMIoQTr+RSrPIcYyOXTtpV1N9ocx20VIXU71OCkoouA7h UzyVojxMpLzT+H93sgqnGDgrMcxraJdGhdl7zVKiCIN1KHVq8rduB78bjQTDMiVN f2cvHUMMIY52ZMmbsMzz9ExEWKurclyiQpWsJcAzq4/n1DL+ojr+a9Ir57Rar19y a86/mnroUPc4M6nNH0HeA6StZgt6+WVHZ/wlTTKRB9C1l40kZOahj/Te0jrgiDj2 g2G9S7gkF167IcmFpXFgqjxRH40FI33fX3uM1sdbZefW86EyDIc/VD5GAI9KKY4x 6oodgPg5XeLvc+Esl9UN14rtaSkY26PQriunwEluYzybmp1ZWJO18Ow8UqTavpPk Y2ubqvXOFhPCBSQCCdxXMpM83fymqhyh1xoZn0LWlVDX5UcEsfYRtANNtkYIsFTn YZF2CNYjSaTwiy9/eOB18+tnPjIBHWlkOZngUuP1QzHceAiUEWix+pHiqDZnrCMm WjIkSEGjy/g=vmHt -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 26, 2021
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!