- Issued:
- 2023-12-07
- Updated:
- 2023-12-07
RHSA-2023:7705 - Security Advisory
Synopsis
Important: Red Hat Build of Apache Camel for Quarkus 2.13.3 security update (RHBQ 2.13.9.Final)
Type/Severity
Security Advisory: Important
Topic
Red Hat Build of Apache Camel for Quarkus 2.13.3 release and security update is now available (updates to RHBQ 2.13.9.Final). The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
A security update for Red Hat Build of Apache Camel for Quarkus 2.13.3 is now available (updates to RHBQ 2.13.9.Final). The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Security Fix(es):
- CVE-2023-5072 JSON-java: parser confusion leads to OOM
- CVE-2023-39410 avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
- CVE-2023-35887 sshd-common: apache-mina-sshd: information exposure in SFTP server implementations
- CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
- CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
Solution
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link (you must log in to download the update).
Affected Products
- Red Hat Build of Apache Camel 1 x86_64
Fixes
- BZ - 2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
- BZ - 2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
- BZ - 2240036 - CVE-2023-35887 apache-mina-sshd: information exposure in SFTP server implementations
- BZ - 2242521 - CVE-2023-39410 apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
- BZ - 2246417 - CVE-2023-5072 JSON-java: parser confusion leads to OOM
CVEs
(none)
References
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/security/cve/CVE-2023-5072
- https://access/redhat/com/security/cve/CVE-2023-39410
- https://access/redhat/com/security/cve/CVE-2023-35887
- https://access/redhat/com/security/cve/CVE-2023-34462
- https://access/redhat/com/security/cve/CVE-2023-34455
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
