A Red Hat Integration Camel Quarkus Tech-Preview 2 security update has been released.
RHSA-2021:3207-01: Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Integration Camel Quarkus Tech-Preview 2 security update
Advisory ID: RHSA-2021:3207-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3207
Issue date: 2021-08-18
CVE Names: CVE-2020-13920 CVE-2020-17518 CVE-2020-17521
CVE-2020-26238 CVE-2020-27222 CVE-2020-27782
CVE-2020-29582 CVE-2021-20218
=====================================================================
1. Summary:
An update to the Red Hat Integration Camel Quarkus tech preview is now
available. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
This release of Red Hat Integration - Camel Quarkus - 1.8.1 tech-preview 2
serves as a replacement for tech-preview 1, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.
Security Fix(es):
* cron-utils: template injection allows attackers to inject arbitrary Java
EL expressions leading to remote code execution (CVE-2020-26238)
* californium-core: DTLS - DoS vulnerability for certificate based
handshakes (CVE-2020-27222)
* undertow: special character in query results in server errors
(CVE-2020-27782)
* activemq: improper authentication allows MITM attack (CVE-2020-13920)
* flink: apache-flink: directory traversal attack allows remote file
writing through the REST API (CVE-2020-17518)
* groovy: OS temporary directory leads to information disclosure
(CVE-2020-17521)
* kubernetes-client: fabric8-kubernetes-client: vulnerable to a path
traversal leading to integrity and availability compromise (CVE-2021-20218)
* kotlin-scripting-jvm: kotlin: vulnerable Java API was used for temporary
file and folder creation which could result in information disclosure
(CVE-2020-29582)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed ( https://bugzilla.redhat.com/):
1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1901304 - CVE-2020-27782 undertow: special character in query results in server errors
1901655 - CVE-2020-26238 cron-utils: template injection allows attackers to inject arbitrary Java EL expressions leading to remote code execution
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
1930230 - CVE-2020-27222 californium-core: DTLS - DoS vulnerability for certificate based handshakes
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
5. References:
https://access.redhat.com/security/cve/CVE-2020-13920
https://access.redhat.com/security/cve/CVE-2020-17518
https://access.redhat.com/security/cve/CVE-2020-17521
https://access.redhat.com/security/cve/CVE-2020-26238
https://access.redhat.com/security/cve/CVE-2020-27222
https://access.redhat.com/security/cve/CVE-2020-27782
https://access.redhat.com/security/cve/CVE-2020-29582
https://access.redhat.com/security/cve/CVE-2021-20218
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q3/html-single/getting_started_with_camel_quarkus_extensions/
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q3
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.