Red Hat 9062 Published by

A Red Hat Data Grid 8.4.4 security update has been released.



[RHSA-2023:5396-01] Moderate: Red Hat Data Grid 8.4.4 security update


==================================================================== Red Hat Security Advisory

Synopsis: Moderate: Red Hat Data Grid 8.4.4 security update
Advisory ID: RHSA-2023:5396-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5396
Issue date: 2023-09-28
CVE Names: CVE-2022-45047 CVE-2023-3628 CVE-2023-3629
CVE-2023-5236 CVE-2023-34462 CVE-2023-35116
CVE-2023-35887
====================================================================
1. Summary:

An update for Red Hat Data Grid 8 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution.
It increases application response times and allows for dramatically
improving performance while providing availability, reliability, and
elastic scale.

Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and
enhancements. Find out more about Data Grid 8.4.4 in the Release Notes[3].

Security Fix(es):

* infispan: REST bulk ops don't check permissions (CVE-2023-3628)

* infinispan: Non-admins should not be able to get cache config via REST
API (CVE-2023-3629)

* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)

* jackson-databind: denial of service via cylic dependencies
(CVE-2023-35116)

* apache-mina: information exposure in SFTP server implementations
(CVE-2023-35887)

* infinispan: circular reference on marshalling leads to DoS
(CVE-2023-5236)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed ( https://bugzilla.redhat.com/):

2215214 - CVE-2023-35116 jackson-databind: denial of service via cylic dependencies
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2217924 - CVE-2023-3628 infispan: REST bulk ops don't check permissions
2217926 - CVE-2023-3629 infinispan: Non-admins should not be able to get cache config via REST API
2240036 - CVE-2023-35887 apache-mina-sshd: information exposure in SFTP server implementations
2240999 - CVE-2023-5236 infinispan: circular reference on marshalling leads to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2023-3628
https://access.redhat.com/security/cve/CVE-2023-3629
https://access.redhat.com/security/cve/CVE-2023-5236
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/cve/CVE-2023-35116
https://access.redhat.com/security/cve/CVE-2023-35887
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareIdp381&productÚta.grid&version=8.4&downloadType=patches
https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--