-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update Advisory ID: RHSA-2021:3207-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2021:3207 Issue date: 2021-08-18 CVE Names: CVE-2020-13920 CVE-2020-17518 CVE-2020-17521 CVE-2020-26238 CVE-2020-27222 CVE-2020-27782 CVE-2020-29582 CVE-2021-20218 ===================================================================== 1. Summary: An update to the Red Hat Integration Camel Quarkus tech preview is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2 serves as a replacement for tech-preview 1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution (CVE-2020-26238) * californium-core: DTLS - DoS vulnerability for certificate based handshakes (CVE-2020-27222) * undertow: special character in query results in server errors (CVE-2020-27782) * activemq: improper authentication allows MITM attack (CVE-2020-13920) * flink: apache-flink: directory traversal attack allows remote file writing through the REST API (CVE-2020-17518) * groovy: OS temporary directory leads to information disclosure (CVE-2020-17521) * kubernetes-client: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise (CVE-2021-20218) * kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure (CVE-2020-29582) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack 1901304 - CVE-2020-27782 undertow: special character in query results in server errors 1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution 1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API 1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure 1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise 1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure 5. References: https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-17521 https://access.redhat.com/security/cve/CVE-2020-26238 https://access.redhat.com/security/cve/CVE-2020-27222 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2021-20218 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/ https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRzY99zjgjWX9erEAQgMhBAApCbodP6PTQTrPhyuwqnvBg/g+tUJj374 68yM9vDZCtUFhg4d8NQetIHLV8UB0VVToZOP20qdW13WL2zihJ2boB4ICA7EqzGF IKyqYDwWgA2nWxs27L3tLAvjZzLdgyAvxvkP5+NdZZr14NU+Kh2jK6XrYNPSsSnd EZL14HtXRUSScTZEx/hJbIBjF4tBqVIYj5PO56qXFHj0iyvWPWCIfDYAm690lOXs 7vX44B1saVkLg9aanxTXmpoai0eN8ABRUXWcpxVLdmJguKptr1cL70CRXdNadnk6 SYjZ1sqhJbW6QgyXI8HyywNpFicWH4+rPwd8QtIyFqdVysL5dp+KAdYhsRHT2No5 /RV0YLGDUM+dEpYxKzHAkrnIbencpuebUgfe/FG2PmcfS7lGzc4SCA2sgdbwcVpx E2vFW5GHIPRy4//hZvMAF1NSYl3Sg0iHpkV26jd/6DO6knt3Jv1pox3iOnOj4Tdt zHRvj0Lv8NzLlIffTXp6CbPqZfnoQln32vwUFqyOaRp7wygLTJTXoOzmkhkExo0Q rOeQhFT/bXWBPRygRcPB5VueWGF2msV3g8tk0QjDWve8btYmX0NJz78QeqpEggLT E5b74YktBGPgYeKG2LB62zJdGDtab8397HtpnRp5QLuAXBieemb4Dw+9F80warrd BFInpl8U+m8= =cI6f -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce