RHSA-2024:6437 - Security Advisory

Topic

An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.8.6 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.

Security Fix(es):

• EMBARGOED CVE-2024-3653 io.quarkus/quarkus-undertow: undertow: LearningPushHandler can lead to remote memory DoS attacks [quarkus-3.8]
• CVE-2024-8391 io.vertx.vertx-grpc-client: Vertx gRPC server does not limit the maximum message size [quarkus-3.8]
• CVE-2024-8391 io.vertx.vertx-grpc-server: Vertx gRPC server does not limit the maximum message size [quarkus-3.8]

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

• QUARKUS-4213 - Quarkus BOM is pushing older version of microprofile-config-api than what SmallRye projects are using
• QUARKUS-4477 - RestEasy reactive client @Retry fails in native mode
• QUARKUS-4521 - Docs: update deploying-to-openshift.adoc for build option
• QUARKUS-4570 - RestEasy gzip max input fails in native mode
• QUARKUS-4581 - Transactional smallrye consumer doesn't recover once it gets into an error state.
• QUARKUS-4616 - Not bumped OpenJDK image to 1.19 in quarkus-jib extension
• QUARKUS-4694 - RHBQ 3.8.5.SP1 defines and delivers quarkus-oidc-db-token-state-manager but not the -deployment counterpart
• QUARKUS-4784 - Fixes potential NPE when custom converters receive empty parameters
• QUARKUS-4785 - Fix a race condition in ReactiveDatasourceHealthCheck data field population
• QUARKUS-4786 - Treat Kotlin's Unit as void for the Quarkus REST scoring system
• QUARKUS-4787 - Avoid warning on analytics
• QUARKUS-4788 - [3.8] Fix downstream title
• QUARKUS-4791 - Use recognized status for apicurio json schema
• QUARKUS-4796 - Set the correct length of parameters when constructing the Redis arguments
• QUARKUS-4798 - Properly close AsyncFile in Quarkus REST
• QUARKUS-4799 - Create new vertx context for blocking health checks
• QUARKUS-4802 - Using safe Integer comparison
• QUARKUS-4804 - For NOTE and TIP, use admonition syntax instead of ID syntax
• QUARKUS-4805 - BugFix Fixed mismatched number of args in string formats
• QUARKUS-4806 - Fix Quarkus REST concurrent modification exception when making abstract resource classes inheritors beans
• QUARKUS-4807 - Bump com.fasterxml.jackson:jackson-bom from 2.17.1 to 2.17.2
• QUARKUS-4808 - BugFix fixed comparison of field with itself
• QUARKUS-4809 - Fix native issue with @Providers when only the REST Client exists
• QUARKUS-4810 - SmallRye GraphQL: added \r to PATTERN_NEWLINE_OR_TAB
• QUARKUS-4814 - Only warn about `module-info` if it exists
• QUARKUS-4815 - Reinitialize the SmallRye `HostName` class as well
• QUARKUS-4816 - Register @JsonNaming value for reflection
• QUARKUS-4817 - Handle duplicated Vert.x context in CaffeineCacheImpl
• QUARKUS-4818 - Lock docker image version for the OTel Collector
• QUARKUS-4819 - Catch exceptions when running checkMissingCommand
• QUARKUS-4820 - Fix bytecode recording issue when default method is used as a getter
• QUARKUS-4822 - Use correct property in JWT key file examples
• QUARKUS-4826 - Qute: fix possible stack overflow error in InsertSectionHelper
• QUARKUS-4827 - Ignore abstract jakarta.ws.rs.core.Application classes
• QUARKUS-4828 - Avoid exporter related exceptions when application has been shutdown
• QUARKUS-4829 - Ensure that MessageBodyWriter is passed the proper media type
• QUARKUS-4830 - Bump io.fabric8:maven-model-helper from 36 to 37
• QUARKUS-4831 - [3.8] Use getMajorMinor version for Infinispan Dev Services container
• QUARKUS-4834 - Quarkus REST: Fix two Date issues regarding preconditions
• QUARKUS-4835 - Avoid using outdated OpenRewrite config in quarkus update
• QUARKUS-4836 - Take MediaType set in pre-match filter into when returning Response
• QUARKUS-4837 - Delegate to the correct method in TransactionScopedStatelessSession#fetch
• QUARKUS-4838 - Use latest SmallRye Context Propagation to fix @CacheResult with method returning Uni makes cache exceed its maximum size
• QUARKUS-4839 - Fix encoding of '?' in query parameter values by Encode.encodeQueryParam(..)
• QUARKUS-4841 - Qute: fix regression for optimized generated value resolvers
• QUARKUS-4842 - Make sure quarkusXXXCompileOnlyConfiguration extends from platform configuration
• QUARKUS-4844 - Fix a disabled OidcClient REST client issue
• QUARKUS-4846 - Improve @SecureField detection lookup exclusions
• QUARKUS-4847 - Control data used in path expression when running remote-dev
• QUARKUS-4848 - Trivial: Update matcher in component test test to catch single test case
• QUARKUS-4849 - Allow the use of @Blocking on @ClientExceptionMapper
• QUARKUS-4850 - Prevent abort because of a throwable
• QUARKUS-4853 - Fix correct parsing of collections in AmazonLambdaRecorder
• QUARKUS-4854 - Bump org.jboss.logmanager:jboss-logmanager from 3.0.4.Final to 3.0.6.Final
• QUARKUS-4855 - Allow JsonObject and JsonArray to be used in any POJO for JSON handling

CVEs

• CVE-2024-3653
• CVE-2024-8391

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.8
• https://access.redhat.com/articles/4966181