Red Hat 9038 Published by

A Red Hat Data Grid 8.3.0 security update has been released.



RHSA-2022:0520-01: Moderate: Red Hat Data Grid 8.3.0 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Data Grid 8.3.0 security update
Advisory ID: RHSA-2022:0520-01
Product: Red Hat JBoss Data Grid
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:0520
Issue date: 2022-02-14
CVE Names: CVE-2021-3642 CVE-2021-29505 CVE-2021-37136
CVE-2021-37137 CVE-2021-39139 CVE-2021-39140
CVE-2021-39141 CVE-2021-39144 CVE-2021-39145
CVE-2021-39146 CVE-2021-39147 CVE-2021-39148
CVE-2021-39149 CVE-2021-39150 CVE-2021-39151
CVE-2021-39152 CVE-2021-39153 CVE-2021-39154
CVE-2021-43797
=====================================================================

1. Summary:

An update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution.
It increases application response times and allows for dramatically
improving performance while providing availability, reliability, and
elastic scale.

Data Grid 8.3.0 replaces Data Grid 8.2.3 and includes bug fixes and
enhancements. Find out more about Data Grid 8.3.0 in the Release Notes[3].

Security Fix(es):

* XStream: remote command execution attack by manipulating the processed
input stream (CVE-2021-29505)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39139)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39141)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.corba.* (CVE-2021-39149)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
com.sun.xml.internal.ws.client.sei.* (CVE-2021-39150)

* xstream: Arbitrary code execution via unsafe deserialization of
com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)

* xstream: Server-side request forgery (SSRF) via unsafe deserialization of
jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)

* xstream: Arbitrary code execution via unsafe deserialization of Xalan
xsltc.trax.TemplatesImpl (CVE-2021-39153)

* xstream: Arbitrary code execution via unsafe deserialization of
javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* xstream: Infinite loop DoS via unsafe deserialization of
sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)

* netty: control chars in header names may lead to HTTP request smuggling
(CVE-2021-43797)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

To install this update, do the following:

1. Download the Data Grid 8.3.0 Server patch from the customer portal[²].
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 8.3.0 Server patch.
4. Restart Data Grid to ensure the changes take effect.

For more information about Data Grid 8.3.0, refer to the 8.3.0 Release
Notes[³]

4. Bugs fixed (  https://bugzilla.redhat.com/):

1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3642
  https://access.redhat.com/security/cve/CVE-2021-29505
  https://access.redhat.com/security/cve/CVE-2021-37136
  https://access.redhat.com/security/cve/CVE-2021-37137
  https://access.redhat.com/security/cve/CVE-2021-39139
  https://access.redhat.com/security/cve/CVE-2021-39140
  https://access.redhat.com/security/cve/CVE-2021-39141
  https://access.redhat.com/security/cve/CVE-2021-39144
  https://access.redhat.com/security/cve/CVE-2021-39145
  https://access.redhat.com/security/cve/CVE-2021-39146
  https://access.redhat.com/security/cve/CVE-2021-39147
  https://access.redhat.com/security/cve/CVE-2021-39148
  https://access.redhat.com/security/cve/CVE-2021-39149
  https://access.redhat.com/security/cve/CVE-2021-39150
  https://access.redhat.com/security/cve/CVE-2021-39151
  https://access.redhat.com/security/cve/CVE-2021-39152
  https://access.redhat.com/security/cve/CVE-2021-39153
  https://access.redhat.com/security/cve/CVE-2021-39154
  https://access.redhat.com/security/cve/CVE-2021-43797
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.3
  https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.3/html-single/red_hat_data_grid_8.3_release_notes/

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.