Red Hat Security Advisory 2022-0083-03 - This release of Red Hat build of Eclipse Vert.x 4.1.8 GA includes security updates. For more information, see the release notes listed in the References section. Issues addressed include code execution and denial of service vulnerabilities.
24d4e3d0f6f554caca41028699284d0f12ccf8d2788aba8df711c0ae434e4e18
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat build of Eclipse Vert.x 4.1.8 security update
Advisory ID: RHSA-2022:0083-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0083
Issue date: 2022-01-20
CVE Names: CVE-2021-44832 CVE-2021-45046 CVE-2021-45105
====================================================================
1. Summary:
An update is now available for Red Hat build of Eclipse Vert.x.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability. For
more information, see the CVE pages listed in the References section.
2. Description:
This release of Red Hat build of Eclipse Vert.x 4.1.8 GA includes security
updates. For more information, see the release notes listed in the
References section.
Security Fix(es):
* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)
* log4j-core: DoS in log4j 2.x with thread context message pattern and
context lookup pattern (incomplete fix for CVE-2021-44228) (CVE-2021-45046)
* log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data
contains a recursive lookup and context lookup pattern (CVE-2021-45105)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link for the
update. You must be logged in to download the update.
4. Bugs fixed (https://bugzilla.redhat.com/):
2032580 - CVE-2021-45046 log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)
2034067 - CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
2035951 - CVE-2021-44832 log4j-core: remote code execution via JDBC Appender
5. References:
https://access.redhat.com/security/cve/CVE-2021-44832
https://access.redhat.com/security/cve/CVE-2021-45046
https://access.redhat.com/security/cve/CVE-2021-45105
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.eclipse.vertx&version=4.1.8
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYemZRNzjgjWX9erEAQg3kg//TMRnMbFneaojfw2Cav3ewH7CQEqai/UQ
4nb5leVBZUlkoGk302d1Xlmjc8oYeyRHP2w95PuWfSqxpU5GhOabUjlJzul1Um34
Y0QaFhBI7xuAk28szn7JKoB6yZ6UAgB/vmYYo0YdlphtInAwnp3Vipb/3vgzXJUH
eaFAkTvEMc4h0gcyLO98Krr/4u87+YJyY2wbWSpRDoQpQUcnDzGNqessOp6NMSsS
mo0SHcFVYLXqsM9/cHaQyhIfTlF5JDApe0DO5y1zE60B1tYJyU34fgoRprFs5ybv
f4Enn/qVWfmx2PCdEwOdKvjf2jQzVplqbPQwxILMRN2f3+y7OBNNWPB16kTskP3u
jYUXZd6AN+YdJBzpBw23TFDmtSbGn9A3jTOWz1uACu3vYxNPSzDYIkOgD0hYfNIb
dZntht5p3WgkBQ0Xkgd0At2UXwc70eJ2uH51Ck/bosH46MuKzVSeCoAsCCEXRMTm
vGsfK5EV8Es5ltzsw1Im+3DZ8QcBNN7SUWidrJa9d6U9F0pzZVe1co4D12Xchapv
bxQp0QeWHIgFNBQA8vQk6SZsdJH3THzHi0GUzLvSMED02MsfAd7HQhyndu/b9vs6
s2OIgauHd09+Siw1twydZUg1eEbeNctFUW2pi2LRggCY4cqLA0j4l0q0zQnKCdw3
73/w3ORRBdI=mx2F
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce