Red Hat 9062 Published by

A Red Hat Data Grid 8.1.1 security update has been released.



RHSA-2021:0433-01: Moderate: Red Hat Data Grid 8.1.1 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Data Grid 8.1.1 security update
Advisory ID: RHSA-2021:0433-01
Product: Red Hat JBoss Data Grid
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:0433
Issue date: 2021-02-08
CVE Names: CVE-2020-25644 CVE-2020-25711 CVE-2020-26217
=====================================================================

1. Summary:

A security update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory data store.

This release of Red Hat Data Grid 8.1.1 serves as a replacement for Red Hat
Data Grid 8.1.0, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.

Security Fix(es):

* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)

* XStream: remote code execution due to insecure XML deserialization when
relying on blocklists (CVE-2020-26217)

* infinispan: authorization check missing for server management operations
(CVE-2020-25711)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Refer to the Data Grid 8.1 Upgrade Guide for instructions on upgrading to
this version.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (  https://bugzilla.redhat.com/):

1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
1897618 - CVE-2020-25711 infinispan: authorization check missing for server management operations
1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists

5. References:

  https://access.redhat.com/security/cve/CVE-2020-25644
  https://access.redhat.com/security/cve/CVE-2020-25711
  https://access.redhat.com/security/cve/CVE-2020-26217
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=8.1
  https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/upgrading_data_grid/

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.