[RHSA-2021:0433-01] Moderate: Red Hat Data Grid 8.1.1 security update
Security announcements for all Red Hat products and services.
rhsa-announce at redhat.com
Mon Feb 8 12:56:22 UTC 2021
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Data Grid 8.1.1 security update
Advisory ID: RHSA-2021:0433-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0433
Issue date: 2021-02-08
CVE Names: CVE-2020-25644 CVE-2020-25711 CVE-2020-26217
=====================================================================
1. Summary:
A security update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Data Grid is a distributed, in-memory data store.
This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat
Data Grid 8.1.0, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.
Security Fix(es):
* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)
* XStream: remote code execution due to insecure XML deserialization when
relying on blocklists (CVE-2020-26217)
* infinispan: authorization check missing for server management operations
(CVE-2020-25711)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to
this version.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
5. References:
https://access.redhat.com/security/cve/CVE-2020-25644
https://access.redhat.com/security/cve/CVE-2020-25711
https://access.redhat.com/security/cve/CVE-2020-26217
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.1
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYCE08tzjgjWX9erEAQiczA//cBXSGydb50uqm54n7mRr650w/tX/KeGy
IFa++dkIoJP5aF+nkK46Z+WqSpO+TnPcq4QgOHT0z2211J8smOk1UwRzarogrR+I
WkfzO4+r/2oAYJHF9vB8wlYbnFIqaOqCu3MwO+1a58A2ECOZXAKs4EivEMdcvp1+
7VbnMU2GsgZUvVMsRPRitTJGkkL14UwYP/MZCHQRfdbrbOopjjSYCUt1hzpFmPIu
4tJCvkArKIHksXdBtbb+Y+PFop05hySRDp8ed1bJPcD8+6Lv8ezVh/i1YMdBFJ7F
Nq6T7g3InpueJflvfLooZ6Nlf8T+Ar8Dsv6e+6kmSpUQPxgAZJEeNSZBdvbRwVIE
O8YqK4nWxxi5R1YehjuR4ax42D3rv+ZWuL8pmr90uDMcmpCp4uM8SEfmEkbhyeVQ
UMYmv9oJW2oayvGlKvCkdFoLcN6kdkLmHIAPqdh8QnyuG6GlAxozsJ+566k4gWgI
HYLY62IOBHbsBE9dzCIqBSk3/+GvGmnzdEQd+R6a/xRmQ83In2J6BzGbZkzkOvUj
4rqS74Q2YV+hG4PRtlRO9EDolYOLARMW1qJQrWtbwdgXDt9mjPEPXw9FoHpUYitz
c0wPDE5hbdp8uwarYP7SuHXLRrCBedHx0reGQyHzBtrJtfqRPWVKd43jeUkUt22R
R/ZChTj5mZQ=
=m0Gn
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list