Red Hat 9062 Published by

A Red Hat Integration Camel Quarkus Tech-Preview 2 security update has been released.



RHSA-2021:3207-01: Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update
Advisory ID: RHSA-2021:3207-01
Product: Red Hat Integration
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3207
Issue date: 2021-08-18
CVE Names: CVE-2020-13920 CVE-2020-17518 CVE-2020-17521
CVE-2020-26238 CVE-2020-27222 CVE-2020-27782
CVE-2020-29582 CVE-2021-20218
=====================================================================

1. Summary:

An update to the Red Hat Integration Camel Quarkus tech preview is now
available. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2
serves as a replacement for tech-preview 1, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)

* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)

* undertow: special character in query results in server errors
(CVE-2020-27782)

* activemq: improper authentication allows MITM attack (CVE-2020-13920)

* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)

* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)

* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)

* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors
1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure

5. References:

  https://access.redhat.com/security/cve/CVE-2020-13920
  https://access.redhat.com/security/cve/CVE-2020-17518
  https://access.redhat.com/security/cve/CVE-2020-17521
  https://access.redhat.com/security/cve/CVE-2020-26238
  https://access.redhat.com/security/cve/CVE-2020-27222
  https://access.redhat.com/security/cve/CVE-2020-27782
  https://access.redhat.com/security/cve/CVE-2020-29582
  https://access.redhat.com/security/cve/CVE-2021-20218
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.