[RHSA-2021:3207-01] Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Wed Aug 18 09:55:08 UTC 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update
Advisory ID:       RHSA-2021:3207-01
Product:           Red Hat Integration
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3207
Issue date:        2021-08-18
CVE Names:         CVE-2020-13920 CVE-2020-17518 CVE-2020-17521 
                   CVE-2020-26238 CVE-2020-27222 CVE-2020-27782 
                   CVE-2020-29582 CVE-2021-20218 
=====================================================================

1. Summary:

An update to the Red Hat Integration Camel Quarkus tech preview is now
available. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2
serves as a replacement for tech-preview 1, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)

* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)

* undertow: special character in query results in server errors
(CVE-2020-27782)

* activemq: improper authentication allows MITM attack (CVE-2020-13920)

* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)

* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)

* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)

* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors
1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure

5. References:

https://access.redhat.com/security/cve/CVE-2020-13920
https://access.redhat.com/security/cve/CVE-2020-17518
https://access.redhat.com/security/cve/CVE-2020-17521
https://access.redhat.com/security/cve/CVE-2020-26238
https://access.redhat.com/security/cve/CVE-2020-27222
https://access.redhat.com/security/cve/CVE-2020-27782
https://access.redhat.com/security/cve/CVE-2020-29582
https://access.redhat.com/security/cve/CVE-2021-20218
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYRzY99zjgjWX9erEAQgMhBAApCbodP6PTQTrPhyuwqnvBg/g+tUJj374
68yM9vDZCtUFhg4d8NQetIHLV8UB0VVToZOP20qdW13WL2zihJ2boB4ICA7EqzGF
IKyqYDwWgA2nWxs27L3tLAvjZzLdgyAvxvkP5+NdZZr14NU+Kh2jK6XrYNPSsSnd
EZL14HtXRUSScTZEx/hJbIBjF4tBqVIYj5PO56qXFHj0iyvWPWCIfDYAm690lOXs
7vX44B1saVkLg9aanxTXmpoai0eN8ABRUXWcpxVLdmJguKptr1cL70CRXdNadnk6
SYjZ1sqhJbW6QgyXI8HyywNpFicWH4+rPwd8QtIyFqdVysL5dp+KAdYhsRHT2No5
/RV0YLGDUM+dEpYxKzHAkrnIbencpuebUgfe/FG2PmcfS7lGzc4SCA2sgdbwcVpx
E2vFW5GHIPRy4//hZvMAF1NSYl3Sg0iHpkV26jd/6DO6knt3Jv1pox3iOnOj4Tdt
zHRvj0Lv8NzLlIffTXp6CbPqZfnoQln32vwUFqyOaRp7wygLTJTXoOzmkhkExo0Q
rOeQhFT/bXWBPRygRcPB5VueWGF2msV3g8tk0QjDWve8btYmX0NJz78QeqpEggLT
E5b74YktBGPgYeKG2LB62zJdGDtab8397HtpnRp5QLuAXBieemb4Dw+9F80warrd
BFInpl8U+m8=
=cI6f
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list