-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Data Grid 8.1.1 security update
Advisory ID:       RHSA-2021:0433-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0433
Issue date:        2021-02-08
CVE Names:         CVE-2020-25644 CVE-2020-25711 CVE-2020-26217
====================================================================
1. Summary:

A security update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory data store.

This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat
Data Grid 8.1.0, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.

Security Fix(es):

* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)

* XStream: remote code execution due to insecure XML deserialization when
relying on blocklists (CVE-2020-26217)

* infinispan: authorization check missing for server management operations
(CVE-2020-25711)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to
this version.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists

5. References:

https://access.redhat.com/security/cve/CVE-2020-25644
https://access.redhat.com/security/cve/CVE-2020-25711
https://access.redhat.com/security/cve/CVE-2020-26217
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?productÚta.grid&downloadType=securityPatches&version=8.1
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYCE08tzjgjWX9erEAQiczA//cBXSGydb50uqm54n7mRr650w/tX/KeGy
IFa++dkIoJP5aF+nkK46Z+WqSpO+TnPcq4QgOHT0z2211J8smOk1UwRzarogrR+I
WkfzO4+r/2oAYJHF9vB8wlYbnFIqaOqCu3MwO+1a58A2ECOZXAKs4EivEMdcvp1+
7VbnMU2GsgZUvVMsRPRitTJGkkL14UwYP/MZCHQRfdbrbOopjjSYCUt1hzpFmPIu
4tJCvkArKIHksXdBtbb+Y+PFop05hySRDp8ed1bJPcD8+6Lv8ezVh/i1YMdBFJ7F
Nq6T7g3InpueJflvfLooZ6Nlf8T+Ar8Dsv6e+6kmSpUQPxgAZJEeNSZBdvbRwVIE
O8YqK4nWxxi5R1YehjuR4ax42D3rv+ZWuL8pmr90uDMcmpCp4uM8SEfmEkbhyeVQ
UMYmv9oJW2oayvGlKvCkdFoLcN6kdkLmHIAPqdh8QnyuG6GlAxozsJ+566k4gWgI
HYLY62IOBHbsBE9dzCIqBSk3/+GvGmnzdEQd+R6a/xRmQ83In2J6BzGbZkzkOvUj
4rqS74Q2YV+hG4PRtlRO9EDolYOLARMW1qJQrWtbwdgXDt9mjPEPXw9FoHpUYitz
c0wPDE5hbdp8uwarYP7SuHXLRrCBedHx0reGQyHzBtrJtfqRPWVKd43jeUkUt22R
R/ZChTj5mZQ=m0Gn
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce