{ "document" : { "aggregate_severity" : { "namespace" : "https://access.redhat.com/security/updates/classification/", "text" : "Important" }, "category" : "csaf_security_advisory", "csaf_version" : "2.0", "distribution" : { "text" : "Copyright © Red Hat, Inc. All rights reserved.", "tlp" : { "label" : "WHITE", "url" : "https://www.first.org/tlp/" } }, "lang" : "en", "notes" : [ { "category" : "summary", "text" : "Red Hat build of Debezium connectors in version 3.2.7 are now available for Red Hat Application Foundations.", "title" : "Topic" }, { "category" : "general", "text" : "Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases.\n\nDebezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off.\n\nIn addition this errata fixes two security issues\n\nmchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects (CVE-2026-27727)\nc3p0: Arbitrary Code Execution via deserialization of crafted objects (CVE-2026-27830)", "title" : "Details" }, { "category" : "legal_disclaimer", "text" : "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title" : "Terms of Use" } ], "publisher" : { "category" : "vendor", "contact_details" : "https://access.redhat.com/security/team/contact/", "issuing_authority" : "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name" : "Red Hat Product Security", "namespace" : "https://www.redhat.com" }, "references" : [ { "category" : "self", "summary" : "https://access.redhat.com/errata/RHSA-2026:4285", "url" : "https://access.redhat.com/errata/RHSA-2026:4285" }, { "category" : "external", "summary" : "https://access.redhat.com/security/updates/classification/#important", "url" : "https://access.redhat.com/security/updates/classification/#important" }, { "category" : "self", "summary" : "Canonical URL", "url" : "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4285.json" } ], "title" : "Red Hat Security Advisory: Red Hat build of Debezium 3.2.7 release", "tracking" : { "current_release_date" : "2026-03-26T14:22:55+00:00", "generator" : { "date" : "2026-03-26T14:22:55+00:00", "engine" : { "name" : "Red Hat SDEngine", "version" : "4.7.4" } }, "id" : "RHSA-2026:4285", "initial_release_date" : "2026-03-11T10:47:34+00:00", "revision_history" : [ { "date" : "2026-03-11T10:47:34+00:00", "number" : "1", "summary" : "Initial version" }, { "date" : "2026-03-11T10:47:34+00:00", "number" : "2", "summary" : "Last updated version" }, { "date" : "2026-03-26T14:22:55+00:00", "number" : "3", "summary" : "Last generated version" } ], "status" : "final", "version" : "3" } }, "product_tree" : { "branches" : [ { "branches" : [ { "branches" : [ { "category" : "product_name", "name" : "Red Hat Build of Debezium 3.2", "product" : { "name" : "Red Hat Build of Debezium 3.2", "product_id" : "Red Hat Build of Debezium 3.2", "product_identification_helper" : { "cpe" : "cpe:/a:redhat:debezium:3" } } } ], "category" : "product_family", "name" : "Red Hat Integration" } ], "category" : "vendor", "name" : "Red Hat" } ] }, "vulnerabilities" : [ { "cve" : "CVE-2026-27727", "cwe" : { "id" : "CWE-502", "name" : "Deserialization of Untrusted Data" }, "discovery_date" : "2026-02-25T17:04:31.254239+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2442671" } ], "notes" : [ { "category" : "description", "text" : "A flaw was found in mchange-commons-java, a Java utility library. An attacker can exploit this vulnerability by providing a maliciously crafted `javax.naming.Reference` or serialized object to an application using the library. This can provoke the application to download and execute arbitrary malicious code due to mchange-commons-java's independent implementation of Java Naming and Directory Interface (JNDI) dereferencing, which supports remote code loading. This could lead to arbitrary code execution within the affected application.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects", "title" : "Vulnerability summary" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Red Hat Build of Debezium 3.2" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2026-27727" }, { "category" : "external", "summary" : "RHBZ#2442671", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2442671" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2026-27727", "url" : "https://www.cve.org/CVERecord?id=CVE-2026-27727" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2026-27727", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2026-27727" }, { "category" : "external", "summary" : "https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44", "url" : "https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44" }, { "category" : "external", "summary" : "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal", "url" : "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal" }, { "category" : "external", "summary" : "https://www.mchange.com/projects/c3p0/#configuring_security", "url" : "https://www.mchange.com/projects/c3p0/#configuring_security" }, { "category" : "external", "summary" : "https://www.mchange.com/projects/c3p0/#security-note", "url" : "https://www.mchange.com/projects/c3p0/#security-note" } ], "release_date" : "2026-02-25T16:01:04.187000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-03-11T10:47:34+00:00", "details" : "To apply this update, follow the standard installation procedure for your platform:\n\n* https://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_openshift/index\n*\nhttps://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_rhel/index", "product_ids" : [ "Red Hat Build of Debezium 3.2" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:4285" }, { "category" : "workaround", "details" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids" : [ "Red Hat Build of Debezium 3.2" ] } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "HIGH", "attackVector" : "NETWORK", "availabilityImpact" : "HIGH", "baseScore" : 8.3, "baseSeverity" : "HIGH", "confidentialityImpact" : "HIGH", "integrityImpact" : "HIGH", "privilegesRequired" : "NONE", "scope" : "CHANGED", "userInteraction" : "REQUIRED", "vectorString" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version" : "3.1" }, "products" : [ "Red Hat Build of Debezium 3.2" ] } ], "threats" : [ { "category" : "impact", "details" : "Important" } ], "title" : "com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects" }, { "cve" : "CVE-2026-27830", "cwe" : { "id" : "CWE-502", "name" : "Deserialization of Untrusted Data" }, "discovery_date" : "2026-02-26T01:01:56.834884+00:00", "ids" : [ { "system_name" : "Red Hat Bugzilla ID", "text" : "2442908" } ], "notes" : [ { "category" : "description", "text" : "A flaw was found in c3p0, a Java Database Connectivity (JDBC) Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or `javax.naming.Reference` instances. By manipulating the `userOverridesAsString` property, an attacker can cause the application to download and execute malicious code from a remote location on its CLASSPATH.", "title" : "Vulnerability description" }, { "category" : "summary", "text" : "c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects", "title" : "Vulnerability summary" }, { "category" : "general", "text" : "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title" : "CVSS score applicability" } ], "product_status" : { "fixed" : [ "Red Hat Build of Debezium 3.2" ] }, "references" : [ { "category" : "self", "summary" : "Canonical URL", "url" : "https://access.redhat.com/security/cve/CVE-2026-27830" }, { "category" : "external", "summary" : "RHBZ#2442908", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2442908" }, { "category" : "external", "summary" : "https://www.cve.org/CVERecord?id=CVE-2026-27830", "url" : "https://www.cve.org/CVERecord?id=CVE-2026-27830" }, { "category" : "external", "summary" : "https://nvd.nist.gov/vuln/detail/CVE-2026-27830", "url" : "https://nvd.nist.gov/vuln/detail/CVE-2026-27830" }, { "category" : "external", "summary" : "https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e", "url" : "https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e" }, { "category" : "external", "summary" : "https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv", "url" : "https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv" }, { "category" : "external", "summary" : "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal", "url" : "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal" }, { "category" : "external", "summary" : "https://www.mchange.com/projects/c3p0/#configuring_security", "url" : "https://www.mchange.com/projects/c3p0/#configuring_security" }, { "category" : "external", "summary" : "https://www.mchange.com/projects/c3p0/#security-note", "url" : "https://www.mchange.com/projects/c3p0/#security-note" } ], "release_date" : "2026-02-26T00:45:18.222000+00:00", "remediations" : [ { "category" : "vendor_fix", "date" : "2026-03-11T10:47:34+00:00", "details" : "To apply this update, follow the standard installation procedure for your platform:\n\n* https://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_openshift/index\n*\nhttps://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_rhel/index", "product_ids" : [ "Red Hat Build of Debezium 3.2" ], "restart_required" : { "category" : "none" }, "url" : "https://access.redhat.com/errata/RHSA-2026:4285" } ], "scores" : [ { "cvss_v3" : { "attackComplexity" : "LOW", "attackVector" : "ADJACENT_NETWORK", "availabilityImpact" : "HIGH", "baseScore" : 8.0, "baseSeverity" : "HIGH", "confidentialityImpact" : "HIGH", "integrityImpact" : "HIGH", "privilegesRequired" : "LOW", "scope" : "UNCHANGED", "userInteraction" : "NONE", "vectorString" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version" : "3.1" }, "products" : [ "Red Hat Build of Debezium 3.2" ] } ], "threats" : [ { "category" : "impact", "details" : "Important" } ], "title" : "c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects" } ] }