Red Hat 9062 Published by

A Red Hat Data Grid 8.2.0 security update has been released.



RHSA-2021:2139-01: Critical: Red Hat Data Grid 8.2.0 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Critical: Red Hat Data Grid 8.2.0 security update
Advisory ID: RHSA-2021:2139-01
Product: Red Hat JBoss Data Grid
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:2139
Issue date: 2021-05-26
CVE Names: CVE-2020-10771 CVE-2020-26258 CVE-2020-26259
CVE-2021-21290 CVE-2021-21295 CVE-2021-21341
CVE-2021-21342 CVE-2021-21343 CVE-2021-21344
CVE-2021-21345 CVE-2021-21346 CVE-2021-21347
CVE-2021-21348 CVE-2021-21349 CVE-2021-21350
CVE-2021-21351 CVE-2021-21409 CVE-2021-31917
=====================================================================

1. Summary:

A security update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory data store.

This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat
Data Grid 8.1.1, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.

Security Fix(es):

* Infinispan: Authentication bypass on REST endpoints when using DIGEST
authentication mechanism (CVE-2021-31917)

* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
(CVE-2021-21344)

* XStream: Unsafe deserizaliation of
com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)

* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
(CVE-2021-21346)

* XStream: Unsafe deserizaliation of
com.sun.tools.javac.processing.JavacProcessingEnvironment
NameProcessIterator (CVE-2021-21347)

* XStream: Unsafe deserizaliation of
com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)

* Infinispan: Actions with effects should not be permitted via GET requests
using REST API (CVE-2020-10771)

* XStream: Server-Side Forgery Request vulnerability can be activated when
unmarshalling (CVE-2020-26258)

* XStream: arbitrary file deletion on the local host when unmarshalling
(CVE-2020-26259)

* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)

* netty: possible request smuggling in HTTP/2 due missing validation
(CVE-2021-21295)

* XStream: allow a remote attacker to cause DoS only by manipulating the
processed input stream (CVE-2021-21341)

* XStream: SSRF via crafted input stream (CVE-2021-21342)

* XStream: arbitrary file deletion on the local host via crafted input
stream (CVE-2021-21343)

* XStream: ReDoS vulnerability (CVE-2021-21348)

* XStream: SSRF can be activated unmarshalling with XStream to access data
streams from an arbitrary URL referencing a resource in an intranet or the
local host (CVE-2021-21349)

* XStream: allow a remote attacker to load and execute arbitrary code from
a remote host only by manipulating the processed input stream
(CVE-2021-21351)

* netty: Request smuggling via content-length header (CVE-2021-21409)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to
this version.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (  https://bugzilla.redhat.com/):

1846293 - CVE-2020-10771 Infinispan: Actions with effects should not be permitted via GET requests using REST API
1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
1955113 - CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism

5. References:

  https://access.redhat.com/security/cve/CVE-2020-10771
  https://access.redhat.com/security/cve/CVE-2020-26258
  https://access.redhat.com/security/cve/CVE-2020-26259
  https://access.redhat.com/security/cve/CVE-2021-21290
  https://access.redhat.com/security/cve/CVE-2021-21295
  https://access.redhat.com/security/cve/CVE-2021-21341
  https://access.redhat.com/security/cve/CVE-2021-21342
  https://access.redhat.com/security/cve/CVE-2021-21343
  https://access.redhat.com/security/cve/CVE-2021-21344
  https://access.redhat.com/security/cve/CVE-2021-21345
  https://access.redhat.com/security/cve/CVE-2021-21346
  https://access.redhat.com/security/cve/CVE-2021-21347
  https://access.redhat.com/security/cve/CVE-2021-21348
  https://access.redhat.com/security/cve/CVE-2021-21349
  https://access.redhat.com/security/cve/CVE-2021-21350
  https://access.redhat.com/security/cve/CVE-2021-21351
  https://access.redhat.com/security/cve/CVE-2021-21409
  https://access.redhat.com/security/cve/CVE-2021-31917
  https://access.redhat.com/security/updates/classification/#critical
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2
  https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.