Red Hat Security Advisory 2021-3207-01 - This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2 serves as a replacement for tech-preview 1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, denial of service, information leakage, man-in-the-middle, and traversal vulnerabilities.
45c967c8a201b1f39d4acd990e209ab0096988439ff4cec5216e3227f4f3dc4b-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update
Advisory ID: RHSA-2021:3207-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3207
Issue date: 2021-08-18
CVE Names: CVE-2020-13920 CVE-2020-17518 CVE-2020-17521
CVE-2020-26238 CVE-2020-27222 CVE-2020-27782
CVE-2020-29582 CVE-2021-20218
=====================================================================
1. Summary:
An update to the Red Hat Integration Camel Quarkus tech preview is now
available. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2
serves as a replacement for tech-preview 1, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.
Security Fix(es):
* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)
* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)
* undertow: special character in query results in server errors
(CVE-2020-27782)
* activemq: improper authentication allows MITM attack (CVE-2020-13920)
* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)
* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)
* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors
1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
5. References:
https://access.redhat.com/security/cve/CVE-2020-13920
https://access.redhat.com/security/cve/CVE-2020-17518
https://access.redhat.com/security/cve/CVE-2020-17521
https://access.redhat.com/security/cve/CVE-2020-26238
https://access.redhat.com/security/cve/CVE-2020-27222
https://access.redhat.com/security/cve/CVE-2020-27782
https://access.redhat.com/security/cve/CVE-2020-29582
https://access.redhat.com/security/cve/CVE-2021-20218
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYRzY99zjgjWX9erEAQgMhBAApCbodP6PTQTrPhyuwqnvBg/g+tUJj374
68yM9vDZCtUFhg4d8NQetIHLV8UB0VVToZOP20qdW13WL2zihJ2boB4ICA7EqzGF
IKyqYDwWgA2nWxs27L3tLAvjZzLdgyAvxvkP5+NdZZr14NU+Kh2jK6XrYNPSsSnd
EZL14HtXRUSScTZEx/hJbIBjF4tBqVIYj5PO56qXFHj0iyvWPWCIfDYAm690lOXs
7vX44B1saVkLg9aanxTXmpoai0eN8ABRUXWcpxVLdmJguKptr1cL70CRXdNadnk6
SYjZ1sqhJbW6QgyXI8HyywNpFicWH4+rPwd8QtIyFqdVysL5dp+KAdYhsRHT2No5
/RV0YLGDUM+dEpYxKzHAkrnIbencpuebUgfe/FG2PmcfS7lGzc4SCA2sgdbwcVpx
E2vFW5GHIPRy4//hZvMAF1NSYl3Sg0iHpkV26jd/6DO6knt3Jv1pox3iOnOj4Tdt
zHRvj0Lv8NzLlIffTXp6CbPqZfnoQln32vwUFqyOaRp7wygLTJTXoOzmkhkExo0Q
rOeQhFT/bXWBPRygRcPB5VueWGF2msV3g8tk0QjDWve8btYmX0NJz78QeqpEggLT
E5b74YktBGPgYeKG2LB62zJdGDtab8397HtpnRp5QLuAXBieemb4Dw+9F80warrd
BFInpl8U+m8=
=cI6f
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed