Red Hat 9062 Published by

Red Hat 3scale API Management 2.11.0 Release - Container Images are available.



RHSA-2021:3851-01: Important: Red Hat 3scale API Management 2.11.0 Release - Container Images



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat 3scale API Management 2.11.0 Release - Container Images
Advisory ID: RHSA-2021:3851-01
Product: 3scale API Management
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3851
Issue date: 2021-10-14
CVE Names: CVE-2020-8911 CVE-2020-8912 CVE-2021-3442
CVE-2021-3653 CVE-2021-3715 CVE-2021-22922
CVE-2021-22923 CVE-2021-22924 CVE-2021-27218
CVE-2021-36222 CVE-2021-37750
=====================================================================

1. Summary:

Red Hat 3scale API Management 2.11.0 Release - Container Images
A security update for Red Hat 3scale API Management is now available from
the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
listed as CVE link(s) in the References section.

2. Description:

Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.

This advisory is intended to use with Container Images, for Red Hat 3scale
API Management 2.11.0.

Security Fixes:

* PT RHOAM: XSS in 3scale at various places (CVE-2021-3442)

* aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang
(CVE-2020-8911)

* aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang
(CVE-2020-8912)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
pages listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management
/2.11/html-single/installing_3scale/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

1869800 - CVE-2020-8911 aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang
1869801 - CVE-2020-8912 aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang
1930083 - CVE-2021-3442 PT RHOAM: XSS in 3scale at various places

5. References:

  https://access.redhat.com/security/cve/CVE-2020-8911
  https://access.redhat.com/security/cve/CVE-2020-8912
  https://access.redhat.com/security/cve/CVE-2021-3442
  https://access.redhat.com/security/cve/CVE-2021-3653
  https://access.redhat.com/security/cve/CVE-2021-3715
  https://access.redhat.com/security/cve/CVE-2021-22922
  https://access.redhat.com/security/cve/CVE-2021-22923
  https://access.redhat.com/security/cve/CVE-2021-22924
  https://access.redhat.com/security/cve/CVE-2021-27218
  https://access.redhat.com/security/cve/CVE-2021-36222
  https://access.redhat.com/security/cve/CVE-2021-37750
  https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.