Red Hat Product Errata RHSA-2021:4918 - Security Advisory
Issued:
2021-12-02
Updated:
2021-12-02

RHSA-2021:4918 - Security Advisory

Synopsis

Moderate: Red Hat Integration Camel-K 1.6 release and security update

Type/Severity

Security Advisory: Moderate

Topic

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat Integration Camel K that includes bug fixes and enhancements. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A minor version update (from 1.4.2 to 1.6) is now available for Red Hat Camel K that includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39146)
  • xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler (CVE-2021-39140)
  • xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue (CVE-2021-39154)
  • xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39153)
  • xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData (CVE-2021-39152)
  • xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39151)
  • xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei. (CVE-2021-39150)
  • xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba. (CVE-2021-39149)
  • xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator (CVE-2021-39148)
  • xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration (CVE-2021-39147)
  • xstream: vulnerable to an arbitrary code execution attack (CVE-2021-39146)
  • xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration (CVE-2021-39145)
  • xstream: Arbitrary code execution via unsafe deserialization of sun.tracing. (CVE-2021-39144)
  • xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei. (CVE-2021-39141)
  • xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl (CVE-2021-39139)
  • spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application (CVE-2021-22118)
  • pdfbox: infinite loop while loading a crafted PDF file (CVE-2021-31812)
  • jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception (CVE-2020-28491)
  • xstream: remote command execution attack by manipulating the processed input stream (CVE-2021-29505)
  • json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)
  • velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
  • mongodb-driver: mongo-java-driver: client-side field level encryption not verifying KMS host name (CVE-2021-20328)
  • RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Integration - Camel K 1 x86_64

Fixes

  • BZ - 1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
  • BZ - 1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
  • BZ - 1934236 - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
  • BZ - 1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
  • BZ - 1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
  • BZ - 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
  • BZ - 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
  • BZ - 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
  • BZ - 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
  • BZ - 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
  • BZ - 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
  • BZ - 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
  • BZ - 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
  • BZ - 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
  • BZ - 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
  • BZ - 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
  • BZ - 1971658 - CVE-2021-31812 pdfbox: infinite loop while loading a crafted PDF file
  • BZ - 1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
  • BZ - 1997763 - CVE-2021-39139 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
  • BZ - 1997765 - CVE-2021-39140 xstream: Infinite loop DoS via unsafe deserialization of sun.reflect.annotation.AnnotationInvocationHandler
  • BZ - 1997769 - CVE-2021-39141 xstream: Arbitrary code execution via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
  • BZ - 1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
  • BZ - 1997775 - CVE-2021-39145 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
  • BZ - 1997777 - CVE-2021-39146 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue
  • BZ - 1997779 - CVE-2021-39147 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapSearchEnumeration
  • BZ - 1997781 - CVE-2021-39148 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.toolkit.dir.ContextEnumerator
  • BZ - 1997784 - CVE-2021-39149 xstream: Arbitrary code execution via unsafe deserialization of com.sun.corba.*
  • BZ - 1997786 - CVE-2021-39150 xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*
  • BZ - 1997791 - CVE-2021-39151 xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration
  • BZ - 1997793 - CVE-2021-39152 xstream: Server-side request forgery (SSRF) via unsafe deserialization of jdk.nashorn.internal.runtime.Source$URLData
  • BZ - 1997795 - CVE-2021-39153 xstream: Arbitrary code execution via unsafe deserialization of Xalan xsltc.trax.TemplatesImpl
  • BZ - 1997801 - CVE-2021-39154 xstream: Arbitrary code execution via unsafe deserialization of javax.swing.UIDefaults$ProxyLazyValue

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.