-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel-K 1.6 release and security update
Advisory ID:       RHSA-2021:4918-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4918
Issue date:        2021-12-02
Cross references:  RHBA-2021:79512-01
CVE Names:         CVE-2020-13936 CVE-2020-14326 CVE-2020-28491 
                   CVE-2021-20328 CVE-2021-21341 CVE-2021-21342 
                   CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 
                   CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 
                   CVE-2021-21350 CVE-2021-21351 CVE-2021-22118 
                   CVE-2021-27568 CVE-2021-29505 CVE-2021-31812 
                   CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 
                   CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 
                   CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 
                   CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 
                   CVE-2021-39153 CVE-2021-39154 
=====================================================================

1. Summary:

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat
Integration Camel K that includes bug fixes and enhancements. The purpose
of this text-only errata is to inform you about the security issues fixed
in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat
Camel K that includes bug fixes and enhancements, which are documented in
the Release Notes document linked to in the References.

Security Fix(es):

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)

* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei. (CVE-2021-39150)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba. (CVE-2021-39149)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)

* xstream: vulnerable to an arbitrary code execution attack
(CVE-2021-39146)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing. (CVE-2021-39144)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei. (CVE-2021-39141)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)

* spring-web: (re)creating the temporary storage directory could result in 
a privilege escalation within WebFlux application (CVE-2021-22118)

* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-31812)

* jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

* xstream: remote command execution attack by manipulating the processed
input stream (CVE-2021-29505)

* json-smart: uncaught exception may lead to crash or information
disclosure (CVE-2021-27568)

* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)

* mongodb-driver: mongo-java-driver: client-side field level encryption not
verifying KMS host name (CVE-2021-20328)

* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
1930423 - CVE-2020-28491 jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1971658 - CVE-2021-31812 pdfbox: infinite loop while loading a crafted PDF file
1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in  a privilege escalation within WebFlux application
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

5. References:

https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2020-14326
https://access.redhat.com/security/cve/CVE-2020-28491
https://access.redhat.com/security/cve/CVE-2021-20328
https://access.redhat.com/security/cve/CVE-2021-21341
https://access.redhat.com/security/cve/CVE-2021-21342
https://access.redhat.com/security/cve/CVE-2021-21343
https://access.redhat.com/security/cve/CVE-2021-21344
https://access.redhat.com/security/cve/CVE-2021-21345
https://access.redhat.com/security/cve/CVE-2021-21346
https://access.redhat.com/security/cve/CVE-2021-21347
https://access.redhat.com/security/cve/CVE-2021-21348
https://access.redhat.com/security/cve/CVE-2021-21350
https://access.redhat.com/security/cve/CVE-2021-21351
https://access.redhat.com/security/cve/CVE-2021-22118
https://access.redhat.com/security/cve/CVE-2021-27568
https://access.redhat.com/security/cve/CVE-2021-29505
https://access.redhat.com/security/cve/CVE-2021-31812
https://access.redhat.com/security/cve/CVE-2021-39139
https://access.redhat.com/security/cve/CVE-2021-39140
https://access.redhat.com/security/cve/CVE-2021-39141
https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2021-39145
https://access.redhat.com/security/cve/CVE-2021-39146
https://access.redhat.com/security/cve/CVE-2021-39147
https://access.redhat.com/security/cve/CVE-2021-39148
https://access.redhat.com/security/cve/CVE-2021-39149
https://access.redhat.com/security/cve/CVE-2021-39150
https://access.redhat.com/security/cve/CVE-2021-39151
https://access.redhat.com/security/cve/CVE-2021-39152
https://access.redhat.com/security/cve/CVE-2021-39153
https://access.redhat.com/security/cve/CVE-2021-39154
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q4
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q4

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYakvl9zjgjWX9erEAQiFIw/+ISEj2ZJKBtc3tQk3sbGEdMOZ6OYijH7Z
W8SmBOgmanF6B6MKB3kF8rflJUWj5srKWaQlNQ1BYlTcu+m3YcOUvOOQgTG0Rz5D
KRh4raRt42VowaH40vf7plBZKHHKR7TLO0L8amzXv30NqsJOK/rkuLjGH8pZ+zfO
pf2USh7aNfd0DTTSoZbzLXh3ErpSQ156gTS7F8mnH/F+AODCQ0DAtHSqKQWbm6kU
R+RgHUTEGCgiAIIQcQRqRAf2g872gcOw1EopDJEmwzgwIaopd9L++Fjox0jSllew
GmmmgHn79gHO3ymKAm10sbqo0x/smO6fpUWmZIYoANt2z3U+ZQmZSZYS6NssCyHK
kD5G48X5nf8vRLXEsIHftakJCd7gauYL3X4Cpsl+lwRr6ImNDQbZcYIJeLO5lqGB
hQYg1AByo4Fs+614NK3oUKKxJuVsWJUCVxSicJJr5QBYz23YT86keVblWZ6ozPTU
+ScfN5+SogosaUqTrVfPhbjoL7pgmbtTEHjyW1McI/IAUj1C5kilVdlpYnybJC9d
oXQBL3fweL6S+sYSyQ+AVf4bxVE9HICj3eg/IpLkKN1gIU7nN+SP6b71MZWlzHyI
sO7Hmno+sZjEE7VQ9s70/IQEYtiPBovCJ+OQ5/C8lMusimG3ikVwFVP5nl/JS3I2
FUnEIXQL4Y8=
=Ys6A
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce