-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.5.10 update Advisory ID: RHSA-2022:1179-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2022:1179 Issue date: 2022-04-12 CVE Names: CVE-2021-3597 CVE-2021-3629 CVE-2021-3642 CVE-2021-3859 CVE-2021-20289 CVE-2021-30640 CVE-2021-33037 CVE-2021-41079 CVE-2021-42340 ==================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.5.10 serves as a replacement for Red Hat support for Spring Boot 2.4.9, and includes bug fixes and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * undertow: client side invocation timeout raised when calling over HTTP2 (CVE-2021-3859) * tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine (CVE-2021-41079) * tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340) * undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597) * undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629) * wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642) * tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037) * resteasy: Error message exposes endpoint class information (CVE-2021-20289) * tomcat: JNDI realm authentication weakness (CVE-2021-30640) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 5. References: https://access.redhat.com/security/cve/CVE-2021-3597 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-41079 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.spring.boot&version=2.5.10 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYlX6EdzjgjWX9erEAQg9yA/+P1/lTMOi1yV6LLfSX3BdGGK82PYJsuO5 mafisp3yqeixCcljWGYZTjGeptsYoVqDPR1KqYJ2RKJyHcFYdI0DvdrmUHODIVAN jgmXaeM+i5HfuSX7o+qsH5ZGkuSVT/H6MCTahZo4QwyzNjT2Zmri1jV0D/LA9fW9 pQd91GVrDeVfL0YzOJkdPaaIqaF/suOcH3saCeuABJ5H0qehRBQdlvh0z4ZjZTek g8knA+/X83ggC1DLlCj9AmHT+RTlD1VrlUgXqrygcCgA58+JK5vM12/mMIslkEL6 +iNCkgpV6nYEW/N0G2CfH9sTk8JYpoY78Yx7V2hT1AxkEPaeReyVjTYcqfV1LenU 2Beo4J1WU4+T5CUao4P/2+MLSsDJDSadfEXM1sGJayULONl61bSCB/+Z/CMA7I/P sLLhvN4TvMQB1dAfFmj9MFSArQQnxbrzkhp5/rPqWSHTfb1d0sSFU7SpqC4HYH+z LCcLfC4ItUd5eBLRMtcJQdnFsPqL/3UdoqHyh5CKjJgTVXs/2Q8vKVdIFihon8GB bPl7YGZT7zyhuSDi26nC0ThjanbE0LVG7Y2MUYNEyQz3gqXU8+HJKBRpKOwihqwM RFJnNFSPqP3eHfbOMBGQpAzdkT7iLRCuyEGUesN6IplndYdn4fepDep/rdqeGk14 lGgYrqQ7rUU=fUW+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce