what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-6407-01

Red Hat Security Advisory 2022-6407-01
Posted Sep 9, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6407-01 - A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Issues addressed include denial of service, information leakage, integer overflow, and resource exhaustion vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability
systems | linux, redhat
advisories | CVE-2020-27223, CVE-2020-36518, CVE-2020-9492, CVE-2021-20289, CVE-2021-22132, CVE-2021-22137, CVE-2021-2471, CVE-2021-28163, CVE-2021-28164, CVE-2021-28165, CVE-2021-3520, CVE-2021-3629, CVE-2021-37714, CVE-2021-38153
SHA-256 | cc86bb2ed063a9b8609ef6960b486d0a7bff3be7ef9e7f5716ccc3523480f3ed

Red Hat Security Advisory 2022-6407-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Integration Camel-K 1.8 security update
Advisory ID: RHSA-2022:6407-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6407
Issue date: 2022-09-09
CVE Names: CVE-2020-9492 CVE-2020-27223 CVE-2020-36518
CVE-2021-2471 CVE-2021-3520 CVE-2021-3629
CVE-2021-20289 CVE-2021-22132 CVE-2021-22137
CVE-2021-28163 CVE-2021-28164 CVE-2021-28165
CVE-2021-37714 CVE-2021-38153 CVE-2021-40690
=====================================================================

1. Summary:

A minor version update is now available for Red Hat Integration Camel K.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

A minor version update is now available for Red Hat Camel K that includes
CVE fixes in the base images, which are documented in the Release Notes
document linked in the References section.

Security Fix(es):

* hadoop: WebHDFS client might send SPNEGO authorization header
(CVE-2020-9492)

* jetty: request containing multiple Accept headers with a large number of
"quality" parameters may lead to DoS (CVE-2020-27223)

* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)

* lz4: memory corruption due to an integer overflow bug caused by memmove
argument (CVE-2021-3520)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* elasticsearch: executing async search improperly stores HTTP headers
leading to information disclosure (CVE-2021-22132)

* jetty: Symlink directory exposes webapp directory contents
(CVE-2021-28163)

* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

* jetty: Resource exhaustion when receiving an invalid large TLS frame
(CVE-2021-28165)

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
(CVE-2021-37714)

* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
(CVE-2021-38153)

* xml-security: XPath Transform abuse allows for information disclosure
(CVE-2021-40690)

* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* elasticsearch: Document disclosure flaw when Document or Field Level
Security is used (CVE-2021-22137)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

5. References:

https://access.redhat.com/security/cve/CVE-2020-9492
https://access.redhat.com/security/cve/CVE-2020-27223
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-3520
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-22132
https://access.redhat.com/security/cve/CVE-2021-22137
https://access.redhat.com/security/cve/CVE-2021-28163
https://access.redhat.com/security/cve/CVE-2021-28164
https://access.redhat.com/security/cve/CVE-2021-28165
https://access.redhat.com/security/cve/CVE-2021-37714
https://access.redhat.com/security/cve/CVE-2021-38153
https://access.redhat.com/security/cve/CVE-2021-40690
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q3
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYxs70NzjgjWX9erEAQjJwA//SOV45S61jVwW0rWlStVD30gzBi4G/Smq
hg/CV6OSMKd+SL5jivW1PPh1T6D30LEWCP4GnLSpDCx36MWGV8QOEL1e2PXAXJK3
vQJbqAHjqIIERY41KJrCBZQ+jUQx1mlev6JRfOP+xvK9lCuwtk/FfhciDEBzbrJA
OG6TLpSxHd8a9sqX0uT8WfXLAiJcU5ZShG87a6ZWfK/b7zvw54TD+V2VX8ob1CKB
UCQZV2z7uzCopDqsfb1br3CMLj28WLCgyWdXM12SX+NPI0YZ+a9+zwAUnnT/Pumg
Qy70O9l7Kr0/RcAiZYk05HG/EBq+dUg2KUkHCOZ+JtiC0wBwYXSLiJI2BQWQj2Zq
NbQ8NQMVWBVslvOtP9CDQSthYjGDHZdyqBSXBFdmrevxbjcg+w8UrF6dMM67fbNs
GPd5y9KgySeoWTmMdkfnBOrsiFXHkWcWvErKX3xn0DniLVFYlesIA5omETvLWzPc
F/KJgb5nj/ObigbfLZo/kAd8zPX3atSatl6CZOejqly6irhTIfIMywkaNjJXU87p
2MuaIyyZyMIvTOaPDhPoE/nGTj8B0fBoOLxFmDirNLcsJXOKLFgPIQnU5r/X0bb8
lcoSrbHvbLHFTf0uTmVRepInph/+JWZ+phGBY/KeoMYY7KTmR5/RUR5smqych3Y7
UtgibM+BGsU=
=nU0B
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close