-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat 3scale API Management 2.11.1 Release - Container Images
Advisory ID:       RHSA-2021:5191-01
Product:           3scale API Management
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:5191
Issue date:        2021-12-16
CVE Names:         CVE-2020-26247 CVE-2020-36385 CVE-2021-0512
                   CVE-2021-3656 CVE-2021-3733 CVE-2021-22946
                   CVE-2021-22947 CVE-2021-33928 CVE-2021-33929
                   CVE-2021-33930 CVE-2021-33938
====================================================================
1. Summary:

Red Hat 3scale API Management 2.11.1 Release - Container Images

A security update for Red Hat 3scale API Management is now available from
the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability
listed as CVE link(s) in the References section.

2. Description:

Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.

This advisory is intended to use with Container Images, for Red Hat 3scale
API Management 2.11.1.

Security Fix(es):

* rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema
(CVE-2020-26247)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1912487 - CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema

5. JIRA issues fixed (https://issues.jboss.org/):

THREESCALE-6868 - [3scale][2.11][LO-prio] Improve select default Application plan
THREESCALE-6879 - [3scale][2.11][HI-prio] Add 'Create new Application' flow to Product > Applications index
THREESCALE-7030 - Address scalability in 'Create new Application' form
THREESCALE-7203 - Fix Zync resync command in 5.6.9. Creating equivalent Zync routes
THREESCALE-7475 - Some api calls result in "Destroying user session"
THREESCALE-7488 - Ability to add external Lua dependencies for custom policies
THREESCALE-7573 - Enable proxy environment variables via the APICAST CRD
THREESCALE-7605 - type change of "policies_config" in /admin/api/services/{service_id}/proxy.json
THREESCALE-7633 - Signup form in developer portal is disabled for users authenticted via external SSO
THREESCALE-7644 - Metrics: Service for 3scale operator is missing
THREESCALE-7646 - Cleanup/refactor Products and Backends index logic
THREESCALE-7648 - Remove "#context-menu" from the url
THREESCALE-7704 - Images based on RHEL 7 should contain at least ca-certificates-2021.2.50-72.el7_9.noarch.rpm
THREESCALE-7731 - Reenable operator metrics service for apicast-operator
THREESCALE-7761 - 3scale Operator doesn't respect *_proxy env vars
THREESCALE-7765 - Remove MessageBus from System
THREESCALE-7834 - admin can't create application when developer is not allowed to pick a plan
THREESCALE-7863 - Update some Obsolete API's in 3scale_v2.js
THREESCALE-7884 - Service top application endpoint is not working properly
THREESCALE-7912 - ServiceMonitor created by monitoring showing HTTP 400 error
THREESCALE-7913 - ServiceMonitor for 3scale operator has wide selector

6. References:

https://access.redhat.com/security/cve/CVE-2020-26247
https://access.redhat.com/security/cve/CVE-2020-36385
https://access.redhat.com/security/cve/CVE-2021-0512
https://access.redhat.com/security/cve/CVE-2021-3656
https://access.redhat.com/security/cve/CVE-2021-3733
https://access.redhat.com/security/cve/CVE-2021-22946
https://access.redhat.com/security/cve/CVE-2021-22947
https://access.redhat.com/security/cve/CVE-2021-33928
https://access.redhat.com/security/cve/CVE-2021-33929
https://access.redhat.com/security/cve/CVE-2021-33930
https://access.redhat.com/security/cve/CVE-2021-33938
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html-single/installing_3scale/index

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYbuXa9zjgjWX9erEAQhd9Q//SJfXxXPd+XV62WY6XMuzYpkSq0yoDhyj
pwNuCSIj9Ck1hF+Us/bbkFuzrvjBBhThUnLDQtKchYvFWW+cXJCqPB8ZxIb1j2O6
RjSp6AwRJY19YKnykd0TdF7fMZYvEX2KaZDfYMIVJ6KKS/E7XvvJHdoVxCSFc5/q
aZYfVafzxRF5EgaPTD5Lnwke5omsSYvyOhzR5oSTs0UZHq/3V7q/7SofhTRMBA3y
V8S/yrEdVUfmDeQMi4NXMbUg3/EdqpnBvP7Vp9eLvFYHcYrM1xbxZg+OVnBhCX72
Ps8uzfCd4/G1nbhGeh5PtSHeTbm0yTw9/ugSWdoaYkGG1vXVQFdt1oz+uuhUu0fy
w+Ng3ef+4JYoJxWcLp7X7eFm1MmRDSntRib/zGB3TWq9LoASFf//tjSIEag80nk3
26Mmu43nP3FEJvdUmtIbDVXmuTjZLCY15VAHCaDWkLZpkfAX2FaldErBPiRciUfX
v+d/Y59luKUahGwxMqZ6KzofSnouUZncIy6xxb5d4LDHPwGPdwkHmgQXy/zsAz8P
5/AN8C54TcFErMe2MDm+EC2l2425Wgum4BqPnvBafFwe0QY8+uJdJwgLKkcJaW/U
BOOf9ahxeiTcn2pgsFCEVUGT+c5GRWGgHZ6HEXBIsxbi4m/4U86qp4u3ZPAORvfe
BW3AwasqEYc=QOAK
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce