A Red Hat Integration Camel-K 1.4 release and security update has been released.

RHSA-2021:3205-01: Moderate: Red Hat Integration Camel-K 1.4 release and security update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Integration Camel-K 1.4 release and security update
Advisory ID: RHSA-2021:3205-01
Product: Red Hat Integration
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3205
Issue date: 2021-08-18
Cross references: RHBA-2021:79512-01
CVE Names: CVE-2020-13920 CVE-2020-17518 CVE-2020-17521
CVE-2020-26238 CVE-2020-27222 CVE-2020-27782
CVE-2020-28052 CVE-2020-29582 CVE-2021-20218
CVE-2021-27807 CVE-2021-27906 CVE-2021-30468
CVE-2021-31811
=====================================================================

1. Summary:

A minor version update (from 1.3 to 1.4) is now available for Red Hat
Integration Camel K that includes bug fixes and enhancements. The purpose
of this text-only errata is to inform you about the security issues fixed
in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

A minor version update (from 1.3 to 1.4) is now available for Red Hat Camel
K that includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)

* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)

* undertow: special character in query results in server errors
(CVE-2020-27782)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)

* activemq: improper authentication allows MITM attack (CVE-2020-13920)

* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)

* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)

* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)

* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-27807)

* cxf-rt-rs-json-basic: CXF: Denial of service vulnerability in parsing
JSON via JsonMapObjectReaderWriter (CVE-2021-30468)

* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)

* pdfbox: OutOfMemory-Exception while loading a crafted PDF file
(CVE-2021-27906)

* pdfbox: OutOfMemory-Exception while loading a crafted PDF file
(CVE-2021-31811)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors
1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file
1971648 - CVE-2021-31811 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter

5. References:

  https://access.redhat.com/security/cve/CVE-2020-13920
  https://access.redhat.com/security/cve/CVE-2020-17518
  https://access.redhat.com/security/cve/CVE-2020-17521
  https://access.redhat.com/security/cve/CVE-2020-26238
  https://access.redhat.com/security/cve/CVE-2020-27222
  https://access.redhat.com/security/cve/CVE-2020-27782
  https://access.redhat.com/security/cve/CVE-2020-28052
  https://access.redhat.com/security/cve/CVE-2020-29582
  https://access.redhat.com/security/cve/CVE-2021-20218
  https://access.redhat.com/security/cve/CVE-2021-27807
  https://access.redhat.com/security/cve/CVE-2021-27906
  https://access.redhat.com/security/cve/CVE-2021-30468
  https://access.redhat.com/security/cve/CVE-2021-31811
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html/getting_started_with_camel_k/
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.