Issued:
2021-11-23
Updated:
2021-11-23

RHSA-2021:4767 - Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update

Synopsis

Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update

Type/Severity

Security Advisory Moderate

Topic

Red Hat Integration Camel Extensions for Quarkus 2.2 is now GA. The purpose of this text-only errata is to inform you about the security issues fixed since the tech preview 2 release.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat Integration - Camel Extensions for Quarkus - 2.2 GA serves as a replacement for tech-preview 2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • jetty (CVE-2021-28163, CVE-2020-27218, CVE-2020-27223, CVE-2021-28164, CVE-2021-28169, CVE-2021-28165, CVE-2021-34428, CVE-2021-34428)

  • undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)

  • xstream (CVE-2021-39144, CVE-2021-39141, CVE-2021-39154, CVE-2021-39153, CVE-2021-39152, CVE-2021-39151, CVE-2021-39150, CVE-2021-39149, CVE-2021-39148, CVE-2021-39147, CVE-2021-39146, CVE-2021-39145, CVE-2021-39140, CVE-2021-39139, CVE-2021-21351, CVE-2021-21350, CVE-2021-21349, CVE-2021-21348, CVE-2021-21347, CVE-2021-21346, CVE-2021-21345, CVE-2021-21344, CVE-2021-21343, CVE-2021-21342, CVE-2021-21341, CVE-2021-29505, CVE-2020-26259, CVE-2020-26258, CVE-2020-26217)

  • wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

  • RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

  • resteasy-core: resteasy: Error message exposes endpoint class information (CVE-2021-20289)

  • velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)

  • undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)

  • mongodb-driver: mongo-java-driver: client-side field level encryption not verifying KMS host name (CVE-2021-20328)

  • gradle: information disclosure through temporary directory permissions (CVE-2021-29429)

  • json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)

  • bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052)

  • jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat IntegrationText-Only Advisoriesx86_64

Fixes

CVEs

References

Additional information