Red Hat 9062 Published by

A Red Hat Integration Camel-K 1.6 release and security update has been released.



RHSA-2021:4918-03: Moderate: Red Hat Integration Camel-K 1.6 release and security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Integration Camel-K 1.6 release and security update
Advisory ID: RHSA-2021:4918-01
Product: Red Hat Integration
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:4918
Issue date: 2021-12-02
Cross references: RHBA-2021:79512-01
CVE Names: CVE-2020-13936 CVE-2020-14326 CVE-2020-28491
CVE-2021-20328 CVE-2021-21341 CVE-2021-21342
CVE-2021-21343 CVE-2021-21344 CVE-2021-21345
CVE-2021-21346 CVE-2021-21347 CVE-2021-21348
CVE-2021-21350 CVE-2021-21351 CVE-2021-22118
CVE-2021-27568 CVE-2021-29505 CVE-2021-31812
CVE-2021-39139 CVE-2021-39140 CVE-2021-39141
CVE-2021-39144 CVE-2021-39145 CVE-2021-39146
CVE-2021-39147 CVE-2021-39148 CVE-2021-39149
CVE-2021-39150 CVE-2021-39151 CVE-2021-39152
CVE-2021-39153 CVE-2021-39154
=====================================================================

1. Summary:

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat
Integration Camel K that includes bug fixes and enhancements. The purpose
of this text-only errata is to inform you about the security issues fixed
in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat
Camel K that includes bug fixes and enhancements, which are documented in
the Release Notes document linked to in the References.

Security Fix(es):

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)

* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei. (CVE-2021-39150)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba. (CVE-2021-39149)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)

* xstream: vulnerable to an arbitrary code execution attack
(CVE-2021-39146)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing. (CVE-2021-39144)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei. (CVE-2021-39141)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)

* spring-web: (re)creating the temporary storage directory could result in
a privilege escalation within WebFlux application (CVE-2021-22118)

* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-31812)

* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)

* xstream: remote command execution attack by manipulating the processed
input stream (CVE-2021-29505)

* json-smart: uncaught exception may lead to crash or information
disclosure (CVE-2021-27568)

* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)

* mongodb-driver: mongo-java-driver: client-side field level encryption not
verifying KMS host name (CVE-2021-20328)

* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1971658 - CVE-2021-31812 pdfbox: infinite loop while loading a crafted PDF file
1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

5. References:

  https://access.redhat.com/security/cve/CVE-2020-13936
  https://access.redhat.com/security/cve/CVE-2020-14326
  https://access.redhat.com/security/cve/CVE-2020-28491
  https://access.redhat.com/security/cve/CVE-2021-20328
  https://access.redhat.com/security/cve/CVE-2021-21341
  https://access.redhat.com/security/cve/CVE-2021-21342
  https://access.redhat.com/security/cve/CVE-2021-21343
  https://access.redhat.com/security/cve/CVE-2021-21344
  https://access.redhat.com/security/cve/CVE-2021-21345
  https://access.redhat.com/security/cve/CVE-2021-21346
  https://access.redhat.com/security/cve/CVE-2021-21347
  https://access.redhat.com/security/cve/CVE-2021-21348
  https://access.redhat.com/security/cve/CVE-2021-21350
  https://access.redhat.com/security/cve/CVE-2021-21351
  https://access.redhat.com/security/cve/CVE-2021-22118
  https://access.redhat.com/security/cve/CVE-2021-27568
  https://access.redhat.com/security/cve/CVE-2021-29505
  https://access.redhat.com/security/cve/CVE-2021-31812
  https://access.redhat.com/security/cve/CVE-2021-39139
  https://access.redhat.com/security/cve/CVE-2021-39140
  https://access.redhat.com/security/cve/CVE-2021-39141
  https://access.redhat.com/security/cve/CVE-2021-39144
  https://access.redhat.com/security/cve/CVE-2021-39145
  https://access.redhat.com/security/cve/CVE-2021-39146
  https://access.redhat.com/security/cve/CVE-2021-39147
  https://access.redhat.com/security/cve/CVE-2021-39148
  https://access.redhat.com/security/cve/CVE-2021-39149
  https://access.redhat.com/security/cve/CVE-2021-39150
  https://access.redhat.com/security/cve/CVE-2021-39151
  https://access.redhat.com/security/cve/CVE-2021-39152
  https://access.redhat.com/security/cve/CVE-2021-39153
  https://access.redhat.com/security/cve/CVE-2021-39154
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q4
  https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q4

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.