Red Hat Product Errata RHSA-2024:4326 - Security Advisory
Issued:
2024-07-08
Updated:
2024-07-08

RHSA-2024:4326 - Security Advisory

Synopsis

Moderate: Red Hat build of Quarkus 3.8.5 release and security update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.8.5 includes security updates, bug fixes and enhancements. For more information, see the release notes page listed in the References section.

Security Fix(es):

  • (CVE-2024-29857) org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service [quarkus-3.8]
  • (CVE-2024-30172) org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class [quarkus-3.8]
  • (CVE-2024-34447) org.bouncycastle/bcprov-jdk18on: org.bouncycastle: Use of Incorrectly-Resolved Name or Reference [quarkus-3.8]
  • (CVE-2024-30171) org.bouncycastle-bcprov-jdk18on: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack) [quarkus-3.8]

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Affected Products

  • Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

  • BZ - 2276360 - CVE-2024-30171 bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)
  • BZ - 2279227 - CVE-2024-34447 org.bouncycastle: Use of Incorrectly-Resolved Name or Reference
  • BZ - 2293025 - CVE-2024-30172 org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class
  • BZ - 2293028 - CVE-2024-29857 org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service
  • QUARKUS-4551 - Bump com.fasterxml.jackson:jackson-bom from 2.16.1 to 2.17.0
  • QUARKUS-4486 - Support annotationProcessorPathsUseDepMgmt in quarkus:dev
  • QUARKUS-4488 - Fix minor typo in hibernate-reactive.adoc
  • QUARKUS-4489 - Avoid StringIndexOutOfBoundsException in KafkaRuntimeConfigProducer
  • QUARKUS-4490 - Fix issue with Liquibase and H2 database
  • QUARKUS-4492 - Fix XA support for Oracle in native
  • QUARKUS-4493 - Adjust sync-web-site.sh for branch renaming of quarkusio repo
  • QUARKUS-4494 - Azure Functions HTTP: use utf-8 instead of default charset decoding request
  • QUARKUS-4495 - Bump Keycloak version to 24.0.4
  • QUARKUS-4498 - Overcome 'String too large to record' issue with Truffle
  • QUARKUS-4506 - Fix multi rooted path tree scanning in the Qute processor
  • QUARKUS-4520 - Update datasource yaml config in docs
  • QUARKUS-4530 - Parameter to skip Maven goal executions before quarkus:dev, skipping flatten plugin by default
  • QUARKUS-4532 - Property to enable/disable default client in Infinispan Dev Services
  • QUARKUS-4534 - Bump MINIMUM working mandrel/graalvm version to 22.3
  • QUARKUS-4535 - Warn users when using older GraalVM or Mandrel versions
  • QUARKUS-4536 - Bump maven-model-helper to 36
  • QUARKUS-4537 - Use quarkusDev#workingDirectory
  • QUARKUS-4542 - Jackson should use HybridJacksonPool
  • QUARKUS-4545 - Backport hide EndUserSpanProcessor integration
  • QUARKUS-4552 - Use Quarkus wide version of jna-platform in azure-functions
  • QUARKUS-4402 - OpenTelemetry is still listed as TP
  • QUARKUS-4430 - Backport of HTTP Metrics on redirected URLs
  • QUARKUS-4491 - Make error message thrown when Quarkus REST and RESTEasy Classic are combined user-friendly again
  • QUARKUS-4497 - Fix pulsar doc misnamed variable, replace enableRetry with retryEnable
  • QUARKUS-4499 - Bump quarkiverse-parent to 16 and maven-compiler-plugin to 3.13.0
  • QUARKUS-4507 - Don't close connection if response is sent
  • QUARKUS-4508 - Allow ClassLoader to return multiple resources
  • QUARKUS-4512 - Make resteasy-reactive AbstractJsonMessageBodyReader handle MediaType case insensitive
  • QUARKUS-4514 - Fix resource registration for native compilation
  • QUARKUS-4515 - Updates quarkusdocs to replace deprecated injectMock
  • QUARKUS-4516 - Logging Guide: Remove duplicated statements
  • QUARKUS-4518 - Do not increment metrics on CaffeineCache#getIfPresent call
  • QUARKUS-4519 - Update kafka doc: Emitter
  • QUARKUS-4525 - Collect only runtime static resources for native builds
  • QUARKUS-4526 - Take MediaType set in pre-match filter into account during serialization
  • QUARKUS-4529 - Fix MessageBundle key/file name resolver algorithm
  • QUARKUS-4531 - Add maxLength configuration option to SysLog
  • QUARKUS-4533 - Ensure that index.html works in any directory in native mode
  • QUARKUS-4538 - Properly convert MemorySize to RESTEasy configuration
  • QUARKUS-4549 - Make max parameters of multipart handling configurable
  • QUARKUS-4550 - Enable proxy configuration for OpenTelemetry exporters
  • QUARKUS-4553 - Preserve POM format when extensions are added/removed
  • QUARKUS-4608 - Upgrade Hibernate to 6.4.8
  • QUARKUS-3540 - Building native binary on arm64/macOS M1 not working
  • QUARKUS-3660 - Stop productizing io.quarkus:quarkus-smallrye-opentracing and remove any RH support label
  • QUARKUS-4318 - Enhance OIDC token propagation filters to select named OIDC clients
  • QUARKUS-4431 - Backport of bugfix for "Failed to index" warnings
  • QUARKUS-4501 - Fix configuration table filter and row collapse/expansion in guides
  • QUARKUS-4502 - Avoid "Failed to index" warnings produced during @SecureField annotation detection
  • QUARKUS-4503 - Fix DisableLoggingFeature for JBoss Threads/Hibernate/Infinispan/Websocket-client
  • QUARKUS-4504 - Fix possible NPE from resource loading
  • QUARKUS-4505 - Fix improper section levels
  • QUARKUS-4509 - Avoid classes with incomplete hierarchy in Hibernate Validator
  • QUARKUS-4510 - Add a temporary config property to allow multiple resources
  • QUARKUS-4511 - ArC: prevent NPE when EagerInstanceHandle.UNAVAILABLE is closed
  • QUARKUS-4517 - Qute: ultimate fix for the problem with registering NativeImageResourceBuildItem correctly on Windows
  • QUARKUS-4522 - Applying the QE feedback to the Logging guide
  • QUARKUS-4523 - Qute: fix NativeImageResourceBuildItem registration on Windows
  • QUARKUS-4527 - Un-sign modified dependency JARs when filtering
  • QUARKUS-4539 - Make sure pathFilter is applied to workspace module content tree
  • QUARKUS-4540 - Improve the multipart encoded mode handling in the rest client
  • QUARKUS-4541 - Ensure that failed unis are not cached
  • QUARKUS-4543 - Fix for proxy flag on OTel
  • QUARKUS-4544 - Fix StorkClientRequestFilter exception handling
  • QUARKUS-4547 - Keep the URIs in the metrics tag if they match a client or server pattern
  • QUARKUS-4548 - Don't run CDI interceptors on class-level exception mappers
  • QUARKUS-4500 - Bump OpenJDK images to 1.19
  • QUARKUS-4184 - Generated gradle app searches for wrong build versions

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.