{"id":22075,"date":"2022-03-23T20:18:27","date_gmt":"2022-03-23T16:18:27","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166418\/RHSA-2022-1029-01.txt"},"modified":"2022-03-27T09:40:57","modified_gmt":"2022-03-27T05:10:57","slug":"red-hat-security-advisory-2022-1029-01","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/red-hat-security-advisory-2022-1029-01\/","title":{"rendered":"Red Hat Security Advisory 2022-1029-01"},"content":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n

====================================================================
\nRed Hat Security Advisory<\/p>\n

Synopsis: Important: Red Hat Integration Camel-K 1.6.4 release and security update
\nAdvisory ID: RHSA-2022:1029-01
\nProduct: Red Hat Integration
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:1029
\nIssue date: 2022-03-23
\nCVE Names: CVE-2020-8908 CVE-2020-15522 CVE-2020-27218
\nCVE-2021-3690 CVE-2021-20293 CVE-2021-21349
\nCVE-2021-26291 CVE-2021-28168 CVE-2021-28170
\nCVE-2021-33813 CVE-2022-24407
\n====================================================================
\n1. Summary:<\/p>\n

A micro version update (from 1.6.3 to 1.6.4) is now available for Red Hat
\nIntegration Camel K that includes bug fixes and enhancements. The purpose
\nof this text-only errata is to inform you about the security issues fixed
\nin this release.<\/p>\n

Red Hat Product Security has rated this update as having a security impact
\nof Important. A Common Vulnerability Scoring System (CVSS) base score,
\nwhich gives a detailed severity rating, is available for each vulnerability
\nfrom the CVE link(s) in the References section.<\/p>\n

2. Description:<\/p>\n

A micro version update (from 1.6.3 to 1.6.4) is now available for Red Hat
\nCamel K that includes bug fixes and enhancements, which are documented in
\nthe Release Notes document linked to in the References.<\/p>\n

Security Fix(es):<\/p>\n

* undertow: buffer leak on incoming websocket PONG message may lead to DoS
\n(CVE-2021-3690)<\/p>\n

* maven: Block repositories using http by default (CVE-2021-26291)<\/p>\n

* cyrus-sasl: failure to properly escape SQL input allows an attacker to
\nexecute arbitrary SQL commands (CVE-2022-24407)<\/p>\n

* bouncycastle: Timing issue within the EC math library (CVE-2020-15522)<\/p>\n

* jetty: buffer not correctly recycled in Gzip Request inflation
\n(CVE-2020-27218)<\/p>\n

* RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
\n(CVE-2021-20293)<\/p>\n

* XStream: SSRF can be activated unmarshalling with XStream to access data
\nstreams from an arbitrary URL referencing a resource in an intranet or the
\nlocal host (CVE-2021-21349)<\/p>\n

* jersey: Local information disclosure via system temporary directory
\n(CVE-2021-28168)<\/p>\n

* jakarta-el: ELParserTokenManager enables invalid EL expressions to be
\nevaluate (CVE-2021-28170)<\/p>\n

* jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
\n(CVE-2021-33813)<\/p>\n

* guava: local information disclosure via temporary directory created with
\nunsafe permissions (CVE-2020-8908)<\/p>\n

For more details about the security issue(s), including the impact, a CVSS
\nscore, acknowledgments, and other related information, refer to the CVE
\npage(s) listed in the References section.<\/p>\n

3. Solution:<\/p>\n

Before applying this update, make sure all previously released errata
\nrelevant to your system have been applied.<\/p>\n

For details on how to apply this update, refer to:<\/p>\n

https:\/\/access.redhat.com\/articles\/11258<\/p>\n

4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n

1902826 – CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
\n1906919 – CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
\n1942635 – CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
\n1942819 – CVE-2021-20293 RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
\n1953024 – CVE-2021-28168 jersey: Local information disclosure via system temporary directory
\n1955739 – CVE-2021-26291 maven: Block repositories using http by default
\n1962879 – CVE-2020-15522 bouncycastle: Timing issue within the EC math library
\n1965497 – CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
\n1973413 – CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
\n1991299 – CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
\n2055326 – CVE-2022-24407 cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands<\/p>\n

5. References:<\/p>\n

https:\/\/access.redhat.com\/security\/cve\/CVE-2020-8908
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-15522
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2020-27218
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3690
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-20293
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-21349
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-26291
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-28168
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-28170
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-33813
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-24407
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#important
\nhttps:\/\/access.redhat.com\/jbossnetwork\/restricted\/listSoftware.html?downloadType=distributions&product=red.hat.integration&version 22-Q2
\nhttps:\/\/access.redhat.com\/documentation\/en-us\/red_hat_integration\/2022.q2<\/p>\n

6. Contact:<\/p>\n

The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n

Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n

iQIVAwUBYjrohtzjgjWX9erEAQg6mg\/+LxmCCWt3OEzksRdLiypLvy5s2dvXoxGQ
\nlHMdzXoYiHb1OgYWYHYUFHzp25qFqI9VTPHeeBXHgb7RI3fN31m+Ao56F3QOfRIE
\nfWYS0W9BdCJQXLWzAfV1fvlLnrXLG3lCACouGvxy9WjRnF4e9S67STeEM+Hl\/NQw
\nXJkbUDQgJUxt97xGS6HZGtHoNxM4PnF8vN2VXBnOTOiTf3bsPToIW6RAS\/EzyoFb
\nwEoTX36QxktjT9WbAcAq1cErZl5qTx1kSkwguWfFCCUy4rfS8hh0G03nVTYCMY+l
\nGnwV7RUWQklDQ2n7r3HW36k+Dt3FoOhvezSkJTjPtuPSKaXwTtRnOeh4PcGyxgHO
\n07jYflxDYfkHmY81R\/Pel\/SFOy4JzyOr5Zyc2SntK9y6qEoAj46HEr\/IMH0WVE9h
\nK5i6HFPkDJtWDFxe729ctNjLdF2YLXzIjnFt0dJdE3CHbNIFItoj+L2zMh+2qvHO
\nlWElB2WvOIc4pKUCJxV6R2pOBrZwjwrD91PMGC00Ze5p8YsmkGgW9rMNTl+479fQ
\nEaYNj0JOAN1gxnYYfKxW\/SASi7fINl1xVn\/JnHV9ovPiKyqGPcTPNDJ+qvW1tsIj
\nBOmtIt9qAZH\/+xaY\/mj2E84aMghXobYB52Dw4iWgvPpPd9QMt17P2JTAxVQ0XWLr
\n1rOJAKvdRbU=vCKh
\n—–END PGP SIGNATURE—–
\n—
\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Integration Camel-K 1.6.4 release and security update Advisory ID: RHSA-2022:1029-01 Product: Red Hat Integration Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:1029 Issue date: 2022-03-23 CVE Names: CVE-2020-8908 CVE-2020-15522 CVE-2020-27218 CVE-2021-3690 CVE-2021-20293 CVE-2021-21349 CVE-2021-26291 CVE-2021-28168 CVE-2021-28170 CVE-2021-33813 CVE-2022-24407 ==================================================================== 1. Summary: A micro version update …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-22075","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22075","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=22075"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22075\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=22075"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=22075"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=22075"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}