A Red Hat Integration Camel-K 1.6 release and security update has been released.
RHSA-2021:4918-03: Moderate: Red Hat Integration Camel-K 1.6 release and security update
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Integration Camel-K 1.6 release and security update
Advisory ID: RHSA-2021:4918-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4918
Issue date: 2021-12-02
Cross references: RHBA-2021:79512-01
CVE Names: CVE-2020-13936 CVE-2020-14326 CVE-2020-28491
CVE-2021-20328 CVE-2021-21341 CVE-2021-21342
CVE-2021-21343 CVE-2021-21344 CVE-2021-21345
CVE-2021-21346 CVE-2021-21347 CVE-2021-21348
CVE-2021-21350 CVE-2021-21351 CVE-2021-22118
CVE-2021-27568 CVE-2021-29505 CVE-2021-31812
CVE-2021-39139 CVE-2021-39140 CVE-2021-39141
CVE-2021-39144 CVE-2021-39145 CVE-2021-39146
CVE-2021-39147 CVE-2021-39148 CVE-2021-39149
CVE-2021-39150 CVE-2021-39151 CVE-2021-39152
CVE-2021-39153 CVE-2021-39154
=====================================================================
1. Summary:
A minor version update (from 1.4.2 to 1.6) is now available for Red Hat
Integration Camel K that includes bug fixes and enhancements. The purpose
of this text-only errata is to inform you about the security issues fixed
in this release.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
A minor version update (from 1.4.2 to 1.6) is now available for Red Hat
Camel K that includes bug fixes and enhancements, which are documented in
the Release Notes document linked to in the References.
Security Fix(es):
* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei. (CVE-2021-39150)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba. (CVE-2021-39149)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
* xstream: vulnerable to an arbitrary code execution attack
(CVE-2021-39146)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing. (CVE-2021-39144)
* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei. (CVE-2021-39141)
* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)
* spring-web: (re)creating the temporary storage directory could result in
a privilege escalation within WebFlux application (CVE-2021-22118)
* pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-31812)
* jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a
java.lang.OutOfMemoryError exception (CVE-2020-28491)
* xstream: remote command execution attack by manipulating the processed
input stream (CVE-2021-29505)
* json-smart: uncaught exception may lead to crash or information
disclosure (CVE-2021-27568)
* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)
* mongodb-driver: mongo-java-driver: client-side field level encryption not
verifying KMS host name (CVE-2021-20328)
* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed ( https://bugzilla.redhat.com/):
1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1971658 - CVE-2021-31812 pdfbox: infinite loop while loading a crafted PDF file
1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
5. References:
https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2020-14326
https://access.redhat.com/security/cve/CVE-2020-28491
https://access.redhat.com/security/cve/CVE-2021-20328
https://access.redhat.com/security/cve/CVE-2021-21341
https://access.redhat.com/security/cve/CVE-2021-21342
https://access.redhat.com/security/cve/CVE-2021-21343
https://access.redhat.com/security/cve/CVE-2021-21344
https://access.redhat.com/security/cve/CVE-2021-21345
https://access.redhat.com/security/cve/CVE-2021-21346
https://access.redhat.com/security/cve/CVE-2021-21347
https://access.redhat.com/security/cve/CVE-2021-21348
https://access.redhat.com/security/cve/CVE-2021-21350
https://access.redhat.com/security/cve/CVE-2021-21351
https://access.redhat.com/security/cve/CVE-2021-22118
https://access.redhat.com/security/cve/CVE-2021-27568
https://access.redhat.com/security/cve/CVE-2021-29505
https://access.redhat.com/security/cve/CVE-2021-31812
https://access.redhat.com/security/cve/CVE-2021-39139
https://access.redhat.com/security/cve/CVE-2021-39140
https://access.redhat.com/security/cve/CVE-2021-39141
https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2021-39145
https://access.redhat.com/security/cve/CVE-2021-39146
https://access.redhat.com/security/cve/CVE-2021-39147
https://access.redhat.com/security/cve/CVE-2021-39148
https://access.redhat.com/security/cve/CVE-2021-39149
https://access.redhat.com/security/cve/CVE-2021-39150
https://access.redhat.com/security/cve/CVE-2021-39151
https://access.redhat.com/security/cve/CVE-2021-39152
https://access.redhat.com/security/cve/CVE-2021-39153
https://access.redhat.com/security/cve/CVE-2021-39154
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2021-Q4
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q4
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.