Red Hat 9062 Published by

A Red Hat support for Spring Boot 2.5.10 update has been released.



RHSA-2022:1179-01: Important: Red Hat support for Spring Boot 2.5.10 update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat support for Spring Boot 2.5.10 update
Advisory ID: RHSA-2022:1179-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:1179
Issue date: 2022-04-12
CVE Names: CVE-2021-3597 CVE-2021-3629 CVE-2021-3642
CVE-2021-3859 CVE-2021-20289 CVE-2021-30640
CVE-2021-33037 CVE-2021-41079 CVE-2021-42340
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat support for Spring Boot provides an application platform that
reduces the complexity of developing and operating applications (monoliths
and microservices) for OpenShift as a containerized platform.

This release of Red Hat support for Spring Boot 2.5.10 serves as a
replacement for Red Hat support for Spring Boot 2.4.9, and includes bug
fixes and enhancements. For more information, see the release notes listed
in the References section.

Security Fix(es):

* undertow: client side invocation timeout raised when calling over HTTP2
(CVE-2021-3859)

* tomcat: Infinite loop while reading an unexpected TLS packet when using
OpenSSL JSSE engine (CVE-2021-41079)

* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)

* undertow: HTTP2SourceChannel fails to write final frame under some
circumstances may lead to DoS (CVE-2021-3597)

* undertow: potential security issue in flow control over HTTP/2 may lead
to DOS (CVE-2021-3629)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)

* resteasy: Error message exposes endpoint class information
(CVE-2021-20289)

* tomcat: JNDI realm authentication weakness (CVE-2021-30640)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (  https://bugzilla.redhat.com/):

1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

5. References:

  https://access.redhat.com/security/cve/CVE-2021-3597
  https://access.redhat.com/security/cve/CVE-2021-3629
  https://access.redhat.com/security/cve/CVE-2021-3642
  https://access.redhat.com/security/cve/CVE-2021-3859
  https://access.redhat.com/security/cve/CVE-2021-20289
  https://access.redhat.com/security/cve/CVE-2021-30640
  https://access.redhat.com/security/cve/CVE-2021-33037
  https://access.redhat.com/security/cve/CVE-2021-41079
  https://access.redhat.com/security/cve/CVE-2021-42340
  https://access.redhat.com/security/updates/classification/#important
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.5.10
  https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.5/html/release_notes_for_spring_boot_2.5/index

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.