[RHSA-2021:3205-01] Moderate: Red Hat Integration Camel-K 1.4 release and security update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Wed Aug 18 09:14:07 UTC 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel-K 1.4 release and security update
Advisory ID:       RHSA-2021:3205-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3205
Issue date:        2021-08-18
Cross references:  RHBA-2021:79512-01
CVE Names:         CVE-2020-13920 CVE-2020-17518 CVE-2020-17521 
                   CVE-2020-26238 CVE-2020-27222 CVE-2020-27782 
                   CVE-2020-28052 CVE-2020-29582 CVE-2021-20218 
                   CVE-2021-27807 CVE-2021-27906 CVE-2021-30468 
                   CVE-2021-31811 
=====================================================================

1. Summary:

A minor version update (from 1.3 to 1.4) is now available for Red Hat
Integration Camel K that includes bug fixes and enhancements. The purpose
of this text-only errata is to inform you about the security issues fixed
in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

A minor version update (from 1.3 to 1.4) is now available for Red Hat Camel
K that includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)

* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)

* undertow: special character in query results in server errors
(CVE-2020-27782)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)

* activemq: improper authentication allows MITM attack (CVE-2020-13920)

* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)

* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)

* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)

* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-27807)

* cxf-rt-rs-json-basic: CXF: Denial of service vulnerability in parsing
JSON via JsonMapObjectReaderWriter (CVE-2021-30468)

* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)

* pdfbox: OutOfMemory-Exception while loading a crafted PDF file
(CVE-2021-27906)

* pdfbox: OutOfMemory-Exception while loading a crafted PDF file
(CVE-2021-31811)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors
1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file
1971648 - CVE-2021-31811 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter

5. References:

https://access.redhat.com/security/cve/CVE-2020-13920
https://access.redhat.com/security/cve/CVE-2020-17518
https://access.redhat.com/security/cve/CVE-2020-17521
https://access.redhat.com/security/cve/CVE-2020-26238
https://access.redhat.com/security/cve/CVE-2020-27222
https://access.redhat.com/security/cve/CVE-2020-27782
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-29582
https://access.redhat.com/security/cve/CVE-2021-20218
https://access.redhat.com/security/cve/CVE-2021-27807
https://access.redhat.com/security/cve/CVE-2021-27906
https://access.redhat.com/security/cve/CVE-2021-30468
https://access.redhat.com/security/cve/CVE-2021-31811
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html/getting_started_with_camel_k/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYRzPW9zjgjWX9erEAQiQhg//Wv8T0xe0RsVX2iYN5d3OYHtnEAFu2iyQ
sLt4E+Ed6nR95DkWfqbC/YIpE2w9UXgZXYG31Roup+zGNYScSpkUliOyH8rPoH2R
TKWcUOQ5FzhDtWvrpss3x7fZ9dCXw6d38FRPCLby9Z05I9fLGTjqRcZQr7W3jz9t
xiTdEhGKED4cgnwpPkUIBiSOF5bAhDAhYmXw0e2wvm/1XhhAOcA85U0d0Ac9lLjS
y07agVx5UZxEDd5rT7ATPlJwfprNQUJKb5Zg+RCOEs5vLMVRHajuW7rG0z+FfhdK
ckz3nektLdOJDcaZj/MdjqB+MZtuXJ48WzBnmKRpCeS/FIOp9XrM0xjrYjCB1Eu6
ls03UI6sbg0zi+fw995mNNoKoq7ErEzKGN1ROh693P0fNGJkvxDopP3GEChTjsMZ
PJTOyKQyRQ4B5OXmemsoBiwiggmCX3E0rvF1dNCfYA4kWRth/B4A3MaTvpcnm1kO
rZKRbCLDQ2rCbtyKLSn/vROi6RYn/4wtz3IudJCZsZXWVAh48iGhLPxYwxabwbyi
rgcslBGkdjdlC+RhKmlPnDyV+q0P+uPupoRCaMKBsIZwdfO9oUZ3Zq/FqfVsab/L
5rv8NunH7+HHXMEx6wBNfqLtQ0pvCmJu/lD719jibgIgK0zZ00tQ54Z25X38C0v6
tw7zI6hjLQY=
=rVez
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list