-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Data Grid 8.1.1 security update Advisory ID: RHSA-2021:0433-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2021:0433 Issue date: 2021-02-08 CVE Names: CVE-2020-25644 CVE-2020-25711 CVE-2020-26217 ==================================================================== 1. Summary: A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory data store. This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat Data Grid 8.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644) * XStream: remote code execution due to insecure XML deserialization when relying on blocklists (CVE-2020-26217) * infinispan: authorization check missing for server management operations (CVE-2020-25711) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to this version. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL 1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations 1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists 5. References: https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/cve/CVE-2020-25711 https://access.redhat.com/security/cve/CVE-2020-26217 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?productÚta.grid&downloadType=securityPatches&version=8.1 https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCE08tzjgjWX9erEAQiczA//cBXSGydb50uqm54n7mRr650w/tX/KeGy IFa++dkIoJP5aF+nkK46Z+WqSpO+TnPcq4QgOHT0z2211J8smOk1UwRzarogrR+I WkfzO4+r/2oAYJHF9vB8wlYbnFIqaOqCu3MwO+1a58A2ECOZXAKs4EivEMdcvp1+ 7VbnMU2GsgZUvVMsRPRitTJGkkL14UwYP/MZCHQRfdbrbOopjjSYCUt1hzpFmPIu 4tJCvkArKIHksXdBtbb+Y+PFop05hySRDp8ed1bJPcD8+6Lv8ezVh/i1YMdBFJ7F Nq6T7g3InpueJflvfLooZ6Nlf8T+Ar8Dsv6e+6kmSpUQPxgAZJEeNSZBdvbRwVIE O8YqK4nWxxi5R1YehjuR4ax42D3rv+ZWuL8pmr90uDMcmpCp4uM8SEfmEkbhyeVQ UMYmv9oJW2oayvGlKvCkdFoLcN6kdkLmHIAPqdh8QnyuG6GlAxozsJ+566k4gWgI HYLY62IOBHbsBE9dzCIqBSk3/+GvGmnzdEQd+R6a/xRmQ83In2J6BzGbZkzkOvUj 4rqS74Q2YV+hG4PRtlRO9EDolYOLARMW1qJQrWtbwdgXDt9mjPEPXw9FoHpUYitz c0wPDE5hbdp8uwarYP7SuHXLRrCBedHx0reGQyHzBtrJtfqRPWVKd43jeUkUt22R R/ZChTj5mZQ=m0Gn -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce