[RHSA-2021:4767-03] Moderate: Red Hat Integration Camel Extensions for Quarkus GA security update

Tue Nov 23 14:41:30 UTC 2021

Red Hat Integration Camel Extensions for Quarkus 2.2 is now GA. The purpose
of this text-only errata is to inform you about the security issues fixed
since the tech preview 2 release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Camel Extensions for Quarkus - 2.2 GA
serves as a replacement for tech-preview 2, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* jetty (CVE-2021-28163, CVE-2020-27218, CVE-2020-27223, CVE-2021-28164,
CVE-2021-28169, CVE-2021-28165, CVE-2021-34428, CVE-2021-34428)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* xstream (CVE-2021-39144, CVE-2021-39141, CVE-2021-39154, CVE-2021-39153,
CVE-2021-39152, CVE-2021-39151, CVE-2021-39150, CVE-2021-39149,
CVE-2021-39148, CVE-2021-39147, CVE-2021-39146, CVE-2021-39145,
CVE-2021-39140, CVE-2021-39139, CVE-2021-21351, CVE-2021-21350,
CVE-2021-21349, CVE-2021-21348, CVE-2021-21347, CVE-2021-21346,
CVE-2021-21345, CVE-2021-21344, CVE-2021-21343, CVE-2021-21342,
CVE-2021-21341, CVE-2021-29505, CVE-2020-26259, CVE-2020-26258,
CVE-2020-26217)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

* resteasy-core: resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)

* undertow: buffer leak on incoming websocket PONG message may lead to DoS
(CVE-2021-3690)

* mongodb-driver: mongo-java-driver: client-side field level encryption not
verifying KMS host name (CVE-2021-20328)

* gradle: information disclosure through temporary directory permissions
(CVE-2021-29429)

* json-smart: uncaught exception may lead to crash or information
disclosure (CVE-2021-27568)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)

* jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1930423 - CVE-2020-28491 jackson-dataformat-cbor:  Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1949636 - CVE-2021-29429 gradle: information disclosure through temporary directory permissions
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

5. References:

https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2020-14326
https://access.redhat.com/security/cve/CVE-2020-26217
https://access.redhat.com/security/cve/CVE-2020-26258
https://access.redhat.com/security/cve/CVE-2020-26259
https://access.redhat.com/security/cve/CVE-2020-27218
https://access.redhat.com/security/cve/CVE-2020-27223
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-28491
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3690
https://access.redhat.com/security/cve/CVE-2021-20289
https://access.redhat.com/security/cve/CVE-2021-20328
https://access.redhat.com/security/cve/CVE-2021-21341
https://access.redhat.com/security/cve/CVE-2021-21342
https://access.redhat.com/security/cve/CVE-2021-21343
https://access.redhat.com/security/cve/CVE-2021-21344
https://access.redhat.com/security/cve/CVE-2021-21345
https://access.redhat.com/security/cve/CVE-2021-21346
https://access.redhat.com/security/cve/CVE-2021-21347
https://access.redhat.com/security/cve/CVE-2021-21348
https://access.redhat.com/security/cve/CVE-2021-21349
https://access.redhat.com/security/cve/CVE-2021-21350
https://access.redhat.com/security/cve/CVE-2021-21351
https://access.redhat.com/security/cve/CVE-2021-27568
https://access.redhat.com/security/cve/CVE-2021-28163
https://access.redhat.com/security/cve/CVE-2021-28164
https://access.redhat.com/security/cve/CVE-2021-28165
https://access.redhat.com/security/cve/CVE-2021-28169
https://access.redhat.com/security/cve/CVE-2021-29429
https://access.redhat.com/security/cve/CVE-2021-29505
https://access.redhat.com/security/cve/CVE-2021-34428
https://access.redhat.com/security/cve/CVE-2021-39139
https://access.redhat.com/security/cve/CVE-2021-39140
https://access.redhat.com/security/cve/CVE-2021-39141
https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2021-39145
https://access.redhat.com/security/cve/CVE-2021-39146
https://access.redhat.com/security/cve/CVE-2021-39147
https://access.redhat.com/security/cve/CVE-2021-39148
https://access.redhat.com/security/cve/CVE-2021-39149
https://access.redhat.com/security/cve/CVE-2021-39150
https://access.redhat.com/security/cve/CVE-2021-39151
https://access.redhat.com/security/cve/CVE-2021-39152
https://access.redhat.com/security/cve/CVE-2021-39153
https://access.redhat.com/security/cve/CVE-2021-39154
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q4/html-single/getting_started_with_camel_quarkus_extensions/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q4

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYZz9mdzjgjWX9erEAQhd7Q/+KypKPUeD2ek8SbZvKhUsRz4jCWnDxLTH
9Q0itGtRZLGubEatxj+EkOg4Zqg9m2BpmLQfLrnLuDCBLlcdV6GoWkAIQr7Vg88h
VI5bah1uLsgRrGmFvY3KY0Ghow2BAid7rzd2sah8lNPVk1AsUph/HkzCvWwm1xw1
Zvoo+0bvs3QAQ6IGQHklO5PYWw2/rjVMEAuE8DmSOMEhgWWJzI4Y9vXl1n6dX/BY
EK4gKU23wBOK9ZB/t97X1hCdWMIT5QoQ8xejYgslheMdgHc/cFmTmh+kNzMTwwCI
OkL4xYyCfiEM0NuJsAo4sHnRAVJEngdWc1/Cx0sWzdZNKW9aVFklciPqL/w7i4vb
Z6dB9A7ezBa9SFPW6okSIAUEPU9e5HdMwH/qAM6N6LYB7fZhNpgR8a9QWTmAEJlc
haDlLwJhbqouEDvWnaJ7ZCsCmSltLES94sezLIzwBvYsn67lJhLzg803gxwG6F6b
q17H40IeSOffh8NX1L2dJDyU3y5N88FhKPEWISkKde3mntz+DLC0OVXfEuLYaLkx
BybTlsuiA9sRhh/oZZYVotUGvaeZiiNBGr/B6rsHMWynuD9uvT04Kz2kucdcB5tE
c5dHeJyUTqdpBdRPer5Ld6lpkqCoTguEaCfoIQ6NmwnZpcNcULkOm3i0h4dNbtJf
QfTF06xoxe4=
=kZG0
-----END PGP SIGNATURE-----