-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Critical: Red Hat Data Grid 8.2.0 security update
Advisory ID:       RHSA-2021:2139-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2139
Issue date:        2021-05-26
CVE Names:         CVE-2020-10771 CVE-2020-26258 CVE-2020-26259
                   CVE-2021-21290 CVE-2021-21295 CVE-2021-21341
                   CVE-2021-21342 CVE-2021-21343 CVE-2021-21344
                   CVE-2021-21345 CVE-2021-21346 CVE-2021-21347
                   CVE-2021-21348 CVE-2021-21349 CVE-2021-21350
                   CVE-2021-21351 CVE-2021-21409 CVE-2021-31917
====================================================================
1. Summary:

A security update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory data store.

This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat
Data Grid 8.1.1, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.

Security Fix(es):

* Infinispan: Authentication bypass on REST endpoints when using DIGEST
authentication mechanism (CVE-2021-31917)

* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
(CVE-2021-21344)

* XStream: Unsafe deserizaliation of
com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)

* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
(CVE-2021-21346)

* XStream: Unsafe deserizaliation of
com.sun.tools.javac.processing.JavacProcessingEnvironment
NameProcessIterator (CVE-2021-21347)

* XStream: Unsafe deserizaliation of
com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)

* Infinispan: Actions with effects should not be permitted via GET requests
using REST API (CVE-2020-10771)

* XStream: Server-Side Forgery Request vulnerability can be activated when
unmarshalling (CVE-2020-26258)

* XStream: arbitrary file deletion on the local host when unmarshalling
(CVE-2020-26259)

* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)

* netty: possible request smuggling in HTTP/2 due missing validation
(CVE-2021-21295)

* XStream: allow a remote attacker to cause DoS only by manipulating the
processed input stream (CVE-2021-21341)

* XStream: SSRF via crafted input stream (CVE-2021-21342)

* XStream: arbitrary file deletion on the local host via crafted input
stream (CVE-2021-21343)

* XStream: ReDoS vulnerability (CVE-2021-21348)

* XStream: SSRF can be activated unmarshalling with XStream to access data
streams from an arbitrary URL referencing a resource in an intranet or the
local host (CVE-2021-21349)

* XStream: allow a remote attacker to load and execute arbitrary code from
a remote host only by manipulating the processed input stream
(CVE-2021-21351)

* netty: Request smuggling via content-length header (CVE-2021-21409)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to
this version.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1846293 - CVE-2020-10771 Infinispan: Actions with effects should not be permitted via GET requests using REST API
1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
1955113 - CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism

5. References:

https://access.redhat.com/security/cve/CVE-2020-10771
https://access.redhat.com/security/cve/CVE-2020-26258
https://access.redhat.com/security/cve/CVE-2020-26259
https://access.redhat.com/security/cve/CVE-2021-21290
https://access.redhat.com/security/cve/CVE-2021-21295
https://access.redhat.com/security/cve/CVE-2021-21341
https://access.redhat.com/security/cve/CVE-2021-21342
https://access.redhat.com/security/cve/CVE-2021-21343
https://access.redhat.com/security/cve/CVE-2021-21344
https://access.redhat.com/security/cve/CVE-2021-21345
https://access.redhat.com/security/cve/CVE-2021-21346
https://access.redhat.com/security/cve/CVE-2021-21347
https://access.redhat.com/security/cve/CVE-2021-21348
https://access.redhat.com/security/cve/CVE-2021-21349
https://access.redhat.com/security/cve/CVE-2021-21350
https://access.redhat.com/security/cve/CVE-2021-21351
https://access.redhat.com/security/cve/CVE-2021-21409
https://access.redhat.com/security/cve/CVE-2021-31917
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÚta.grid&version=8.2
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYK7C1tzjgjWX9erEAQiWPg/9HusdDg2N/WJPUeZSoFsYXgm5XgNzleJH
5999VYyebIKZSEAkgPKZOoIAQGoZtVRdqdtGONYMMJfQbNq+5xLiR6jNjF5BSkzN
cOAX1R9RtDekdeedVWR1dNf/lX9/Y2h5buNrwEoRimwva7z7lDlC6w9aNhtYgNk4
NIt5WeeNaXirq+lPi2KhMIoQTr+RSrPIcYyOXTtpV1N9ocx20VIXU71OCkoouA7h
UzyVojxMpLzT+H93sgqnGDgrMcxraJdGhdl7zVKiCIN1KHVq8rduB78bjQTDMiVN
f2cvHUMMIY52ZMmbsMzz9ExEWKurclyiQpWsJcAzq4/n1DL+ojr+a9Ir57Rar19y
a86/mnroUPc4M6nNH0HeA6StZgt6+WVHZ/wlTTKRB9C1l40kZOahj/Te0jrgiDj2
g2G9S7gkF167IcmFpXFgqjxRH40FI33fX3uM1sdbZefW86EyDIc/VD5GAI9KKY4x
6oodgPg5XeLvc+Esl9UN14rtaSkY26PQriunwEluYzybmp1ZWJO18Ow8UqTavpPk
Y2ubqvXOFhPCBSQCCdxXMpM83fymqhyh1xoZn0LWlVDX5UcEsfYRtANNtkYIsFTn
YZF2CNYjSaTwiy9/eOB18+tnPjIBHWlkOZngUuP1QzHceAiUEWix+pHiqDZnrCMm
WjIkSEGjy/g=vmHt
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce