exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-1179-01

Red Hat Security Advisory 2022-1179-01
Posted Apr 13, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-1179-01 - Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.5.10 serves as a replacement for Red Hat support for Spring Boot 2.4.9, and includes bug fixes and enhancements. For more information, see the release notes listed in the References section. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability
systems | linux, redhat
advisories | CVE-2021-20289, CVE-2021-30640, CVE-2021-33037, CVE-2021-3597, CVE-2021-3629, CVE-2021-3642, CVE-2021-3859, CVE-2021-41079, CVE-2021-42340
SHA-256 | 85b8d4f687468f2d182c49d4c89778120f0a1b9edb98b4a99798cd35870ff9fd

Red Hat Security Advisory 2022-1179-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat support for Spring Boot 2.5.10 update
Advisory ID: RHSA-2022:1179-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1179
Issue date: 2022-04-12
CVE Names: CVE-2021-3597 CVE-2021-3629 CVE-2021-3642
CVE-2021-3859 CVE-2021-20289 CVE-2021-30640
CVE-2021-33037 CVE-2021-41079 CVE-2021-42340
====================================================================
1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat support for Spring Boot provides an application platform that
reduces the complexity of developing and operating applications (monoliths
and microservices) for OpenShift as a containerized platform.

This release of Red Hat support for Spring Boot 2.5.10 serves as a
replacement for Red Hat support for Spring Boot 2.4.9, and includes bug
fixes and enhancements. For more information, see the release notes listed
in the References section.

Security Fix(es):

* undertow: client side invocation timeout raised when calling over HTTP2
(CVE-2021-3859)

* tomcat: Infinite loop while reading an unexpected TLS packet when using
OpenSSL JSSE engine (CVE-2021-41079)

* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)

* undertow: HTTP2SourceChannel fails to write final frame under some
circumstances may lead to DoS (CVE-2021-3597)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)

* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* tomcat: JNDI realm authentication weakness (CVE-2021-30640)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2021-3597
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3859
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-30640
https://access.redhat.com/security/cve/CVE-2021-33037
https://access.redhat.com/security/cve/CVE-2021-41079
https://access.redhat.com/security/cve/CVE-2021-42340
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.spring.boot&version=2.5.10
https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYlX6EdzjgjWX9erEAQg9yA/+P1/lTMOi1yV6LLfSX3BdGGK82PYJsuO5
mafisp3yqeixCcljWGYZTjGeptsYoVqDPR1KqYJ2RKJyHcFYdI0DvdrmUHODIVAN
jgmXaeM+i5HfuSX7o+qsH5ZGkuSVT/H6MCTahZo4QwyzNjT2Zmri1jV0D/LA9fW9
pQd91GVrDeVfL0YzOJkdPaaIqaF/suOcH3saCeuABJ5H0qehRBQdlvh0z4ZjZTek
g8knA+/X83ggC1DLlCj9AmHT+RTlD1VrlUgXqrygcCgA58+JK5vM12/mMIslkEL6
+iNCkgpV6nYEW/N0G2CfH9sTk8JYpoY78Yx7V2hT1AxkEPaeReyVjTYcqfV1LenU
2Beo4J1WU4+T5CUao4P/2+MLSsDJDSadfEXM1sGJayULONl61bSCB/+Z/CMA7I/P
sLLhvN4TvMQB1dAfFmj9MFSArQQnxbrzkhp5/rPqWSHTfb1d0sSFU7SpqC4HYH+z
LCcLfC4ItUd5eBLRMtcJQdnFsPqL/3UdoqHyh5CKjJgTVXs/2Q8vKVdIFihon8GB
bPl7YGZT7zyhuSDi26nC0ThjanbE0LVG7Y2MUYNEyQz3gqXU8+HJKBRpKOwihqwM
RFJnNFSPqP3eHfbOMBGQpAzdkT7iLRCuyEGUesN6IplndYdn4fepDep/rdqeGk14
lGgYrqQ7rUU=fUW+
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close