{"id":20973,"date":"2022-02-22T20:18:11","date_gmt":"2022-02-22T17:18:11","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166093\/RHSA-2022-0589-01.txt"},"modified":"2022-02-23T15:18:58","modified_gmt":"2022-02-23T11:48:58","slug":"red-hat-security-advisory-2022-0589-01","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/red-hat-security-advisory-2022-0589-01\/","title":{"rendered":"Red Hat Security Advisory 2022-0589-01"},"content":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n

=====================================================================
\nRed Hat Security Advisory<\/p>\n

Synopsis: Moderate: Red Hat build of Quarkus 2.2.5 release and security update
\nAdvisory ID: RHSA-2022:0589-01
\nProduct: Red Hat build of Quarkus
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:0589
\nIssue date: 2022-02-21
\nCVE Names: CVE-2021-2471 CVE-2021-4178 CVE-2021-28170
\nCVE-2021-37136 CVE-2021-37137 CVE-2021-37714
\nCVE-2021-38153 CVE-2021-41269
\n=====================================================================<\/p>\n

1. Summary:<\/p>\n

An update is now available for Red Hat build of Quarkus.<\/p>\n

Red Hat Product Security has rated this update as having a security impact
\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
\ngives a detailed severity rating, is available for each vulnerability. For
\nmore information, see the CVE links in the References section.<\/p>\n

2. Description:<\/p>\n

This release of Red Hat build of Quarkus 2.2.5 includes security updates,
\nbug fixes, and enhancements. For more information, see the release notes
\npage listed in the References section.<\/p>\n

Security Fix(es):<\/p>\n

* kafka-clients: Kafka: Timing Attack Vulnerability for Apache Kafka
\nConnect and Clients (CVE-2021-38153)<\/p>\n

* kubernetes-client: Insecure deserialization in unmarshalYaml method
\n(CVE-2021-4178)<\/p>\n

* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
\n(CVE-2021-37714)<\/p>\n

* jakarta.el: jakarta-el: ELParserTokenManager enables invalid EL
\nexpressions to be evaluate (CVE-2021-28170)<\/p>\n

* netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for
\ndecompressed data (CVE-2021-37136)<\/p>\n

* netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may
\nbuffer skippable chunks in an unnecessary way (CVE-2021-37137)<\/p>\n

* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)<\/p>\n

* cron-utils: template Injection leading to unauthenticated Remote Code
\nExecution(CVE-2021-41269)<\/p>\n

For more details about the security issue(s), including the impact, a CVSS
\nscore, acknowledgments, and other related information, refer to the CVE
\npage(s) listed in the References section.<\/p>\n

3. Solution:<\/p>\n

Before applying the update, back up your existing installation, including
\nall applications, configuration files, databases and database settings, and
\nso on.<\/p>\n

The References section of this erratum contains a download link for the
\nupdate. You must be logged in to download the update.<\/p>\n

4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n

1965497 – CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
\n1995259 – CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
\n2004133 – CVE-2021-37136 netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data
\n2004135 – CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way
\n2009041 – CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
\n2020583 – CVE-2021-2471 mysql-connector-java: unauthorized access to critical
\n2024632 – CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution
\n2034388 – CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method<\/p>\n

5. References:<\/p>\n

https:\/\/access.redhat.com\/security\/cve\/CVE-2021-2471
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-4178
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-28170
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-37136
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-37137
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-37714
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-38153
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-41269
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#moderate
\nhttps:\/\/access.redhat.com\/jbossnetwork\/restricted\/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.2.5
\nhttps:\/\/access.redhat.com\/documentation\/en-us\/red_hat_build_of_quarkus\/2.2\/
\nhttps:\/\/access.redhat.com\/articles\/4966181<\/p>\n

6. Contact:<\/p>\n

The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n

Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n

iQIVAwUBYhQOfNzjgjWX9erEAQjzdA\/\/ddK6hPPLHj5\/ubtY1ZS19bIEy5ZcgL45
\nhY7P1HWdqs+UDXnSMLlgXoDMc+qJNmJ9EkEzY4xNkpqc3WMjVgBsZ6t1wjVhIFxt
\ndKV1Vj3wwyQJhbbbcxLPhfeJW33hVYNcOWPqlbX4+qnc11slQVIsH2RN0qltP0OA
\n5LyNjj39lobMoSWxn4T65iexONA6edYcDWrQQrMSLw\/xa\/w+xMEOL1Dg+LYsJtFp
\nXPAovAstep1haAAtv6fqTOdmMAZpFVgrzsi\/GhrLRS23Q5O3HvTZIWgl+wDVghH1
\nWuniWLADJ4\/\/X7fibrSq0QCLDpSQ0xc+RInrKfc6gczw1wNbgUoO2ITrzvjeHTx2
\n7udXXpXlif6uaKPGdDVqfu\/LO8GO0q24nQcWav8gI2hksq5QDz6c3PjclJBECGGI
\nc4jtGAdENlAlK0p7yOgdoByq4VSYt26tMIKQLsvgVUSEEP\/xi65FJDl4pEJNNmqM
\ni2OlMntKYWjEPuX513CWE3A\/ZZzteHmksfP\/VgPnJ+vh3JMHjvfpGsnCu9WZI2j4
\n00DQsIOcUZ43DnldJY6pYrkN04JgXjYkyTAH3+vJac4ylU7HqyzyqhucVRQWqp4o
\nxREFsOy4oxpGyxCpywZCpoZRlGemLCtOh5KTCRKzRrNYZf2dmSo\/MIYhPF02dySH
\ngtC\/1OCBcZs=
\n=l9VG
\n—–END PGP SIGNATURE—–<\/p>\n


\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Quarkus 2.2.5 release and security update Advisory ID: RHSA-2022:0589-01 Product: Red Hat build of Quarkus Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:0589 Issue date: 2022-02-21 CVE Names: CVE-2021-2471 CVE-2021-4178 CVE-2021-28170 CVE-2021-37136 CVE-2021-37137 CVE-2021-37714 CVE-2021-38153 CVE-2021-41269 ===================================================================== 1. Summary: An update is now …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-20973","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=20973"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/20973\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=20973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=20973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=20973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}