Important: Red Hat build of Quarkus 3.2.9 release and security update

トピック

A new release of the Red Hat build of Quarkus is now available. This new release comes packed with a host of enhancements, bug fixes, and security fixes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

説明

This release of Red Hat build of Quarkus 3.2.9 includes security updates, bug
fixes, and enhancements.

Security Fix(es):

• CVE-2023-39410 avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK [quarkus-3.2]
• CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact [quarkus-3.2]

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

解決策

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

影響を受ける製品

• Red Hat Build of Quarkus Text-Only Advisories x86_64

修正

• BZ - 2241722 - CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact
• BZ - 2242521 - CVE-2023-39410 apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
• QUARKUS-3339 - Vertx SQL client hangs, when it inserts null or empty string into Oracle DB
• QUARKUS-3367 - HTTP/1.1 upgrade to H2C cannot process fully request entity with a size greater than the initial window size
• QUARKUS-3563 - Fix title of upx.adoc
• QUARKUS-3564 - Remove update guide from docs yml
• QUARKUS-3565 - Enhancements to Configuration section of the Logging guide
• QUARKUS-3566 - Applying the QE feedback for the Logging guide
• QUARKUS-3567 - Doc link fixes & enhancements to Bearer token authentication tutorial
• QUARKUS-3568 - Additional review and application of QE feedback to the Datasource guide
• QUARKUS-3569 - Remove 'Security vulnerability detection' topic from downstream doc list
• QUARKUS-3570 - Adding the JUL URL to the Logging guide update
• QUARKUS-3571 - Make hibernate reactive status clear in docs
• QUARKUS-3572 - Fix doc link asciidoc change link to xref where applicable
• QUARKUS-3573 - Config doc - Avoid processing methods if not @ConfigMapping
• QUARKUS-3662 - Tiny grammar tweaks for the Authorization of web endpoints guide
• QUARKUS-3663 - Tiny Vale tweaks for Datasource and Logging guide
• QUARKUS-3664 - Duplicate Authorization Bearer Header Fix
• QUARKUS-3665 - More reliable test setup in integration-tests/hibernate-orm-tenancy/datasource
• QUARKUS-3666 - Fixing Db2 Driver typo
• QUARKUS-3667 - Fix assertions in Hibernate ORM 5.6 compatibility tests
• QUARKUS-3668 - Fix dead link in infinispan-client-reference.adoc
• QUARKUS-3669 - Bump Keycloak version to 22.0.6
• QUARKUS-3670 - Vert.x: fix NPE in ForwardedProxyHandler
• QUARKUS-3671 - Fix quarkus update regression on extensions
• QUARKUS-3672 - Take @ConstrainedTo into account for interceptors
• QUARKUS-3673 - Dev UI: Fix height in Rest Client
• QUARKUS-3674 - QuarkusSecurityTestExtension afterEach call should not be made for tests without @TestSecurity
• QUARKUS-3675 - Make the ZSTD Substitutions more robust
• QUARKUS-3676 - Fix handling of HTTP/2 H2 empty frames in Resteasy Reactive
• QUARKUS-3677 - Fix deployer detection in quarkus-maven-plugin
• QUARKUS-3678 - ArC: fix PreDestroy callback support for decorators
• QUARKUS-3679 - Update Vert.x version to 4.4.6
• QUARKUS-3680 - Let custom OIDC token propagation filters customize the exchange status
• QUARKUS-3681 - Let custom OIDC token propagation filters provide client name
• QUARKUS-3682 - Upgrade Oracle JDBC driver to 23.3.0.23.09
• QUARKUS-3683 - Upgrade to Hibernate ORM 6.2.13.Final
• QUARKUS-3685 - Ensure that SSE builder works in native
• QUARKUS-3686 - AssembleDownstreamDocumentation - print guide name
• QUARKUS-3687 - IBM Db2 - Register resource bundle classes for reflection
• QUARKUS-3688 - Allow @ClientHeaderParam to override User-Agent
• QUARKUS-3689 - Fix issue in Java migration in dev-mode
• QUARKUS-3690 - Properly handle invalid response body errors in Reactive REST Client
• QUARKUS-3691 - Prepare for ORM update
• QUARKUS-3692 - Upgrade: Hibernate ORM 6.2.11.Final and Reactive 2.0.6.Final
• QUARKUS-3693 - Fixed URL for configuring JSON support
• QUARKUS-3694 - Upgrade to Hibernate Search 6.2.2.Final
• QUARKUS-3695 - Fix Liquibase on Windows 11
• QUARKUS-3696 - Update to the JDBCStore section of the Transaction guide
• QUARKUS-3697 - Improve handling of broken accept headers in MediaTypeHeaderDelegate
• QUARKUS-3698 - Fix Authorization of Web Endpoints link
• QUARKUS-3699 - Don't register subresource for reflection based on their use as a return type
• QUARKUS-3700 - Don't use RuntimeDelegate in ResponseHandler
• QUARKUS-3701 - Don't ignore empty SSE events in client
• QUARKUS-3702 - Improve the way HTTP authorizer logs exceptions
• QUARKUS-3703 - Log invalid CORS origin and method
• QUARKUS-3704 - Fix return type of hibernate-search substitution
• QUARKUS-3705 - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /bom/application
• QUARKUS-3706 - Bump org.apache.commons:commons-compress from 1.23.0 to 1.24.0 in /independent-projects/tools
• QUARKUS-3707 - Prevent recording configuration coming from Gradle
• QUARKUS-3708 - Add logic to load yaml recipes based on the extension
• QUARKUS-3709 - Add note about unsupported @Lock in Spring Data JPA
• QUARKUS-3710 - Restore missing parameters in OIDC Dev UI client cred and password SwaggerUI/GraphQL handlers
• QUARKUS-3711 - More hierarchical classes are not picked up as global interceptors
• QUARKUS-3712 - Fixes aggregation of configurations with two different executions ids
• QUARKUS-3713 - Improve description of the duration format in configuration documentation
• QUARKUS-3714 - Bump smallrye-reactive-types-converter.version from 3.0.0 to 3.0.1
• QUARKUS-3715 - Improve Qute + Cache integration
• QUARKUS-3716 - HTTP fix response compression support
• QUARKUS-3717 - Document the ability to automatically compress rotated log files
• QUARKUS-3718 - Adding additional information for the JDBCStore section of the Transaction guide
• QUARKUS-3719 - Default response content type using GraphQL spec
• QUARKUS-3720 - Delete temporary openshift files
• QUARKUS-3721 - Fix invalid logging pattern
• QUARKUS-3722 - Guard against null headers when converting a provided Response
• QUARKUS-3723 - Fix potential NPE in HTTP proxying
• QUARKUS-3724 - Upgrade to Hibernate ORM 6.2.9.Final and HR 2.0.5.Final
• QUARKUS-3725 - Fix typo which affects OIDC Dev UI when either client credentials or password grant is used
• QUARKUS-3726 - Clarify how PasswordProvider in security-jpa has to be used
• QUARKUS-3727 - ArC: log warning about removed beans for BeanContainer operations
• QUARKUS-3728 - ArC: fix decorators and interface default methods
• QUARKUS-3729 - Add plexus version constraints to the bootstrap BOM
• QUARKUS-3730 - Preserve format style when adding after-shutdown message
• QUARKUS-3732 - Hibernate Reactive Panache: fix WithSessionOnDemand implementation
• QUARKUS-3733 - Copyedit the style of config-yaml.adoc for reuse in the product docs
• QUARKUS-3734 - Update bytebuddy as we need a version working with Java 21
• QUARKUS-3735 - Add support for Podman auth file in Jib
• QUARKUS-3736 - Fix Jakarta Cookie serialization in native
• QUARKUS-3737 - Disable scan and local cache for update-version.sh
• QUARKUS-3738 - Use BeanContainer.beanInstance instead in docs
• QUARKUS-3739 - Report 401 and remove OIDC session cookie if it is malformed
• QUARKUS-3740 - Some longer timeouts for CI
• QUARKUS-3741 - Fix duration converter with multiple units
• QUARKUS-3742 - Add support for @GlobalInterceptor on producer methods
• QUARKUS-3743 - Doc enhancements to the security architecture guide
• QUARKUS-3744 - Remove security guides we are no longer publishing for 3.2 product docs
• QUARKUS-3746 - Properly handle authority-pseudo header in the ForwardedParser
• QUARKUS-3747 - Docs - Add missing steps to Basic authentication how-to
• QUARKUS-3749 - Handle duplicated context in the CacheResultInterceptor
• QUARKUS-3750 - Security doc fix: Broken link and bad code snippet
• QUARKUS-3751 - [3.2] Set all discovered quarkus.* properties as system properties in QuarkusWorker
• QUARKUS-3752 - Update artifact ids for dependencies in Blaze-Persistence documentation for Quarkus 3 integration
• QUARKUS-3753 - Gradle: set all discovered quarkus.* properties as system properties in QuarkusWorker
• QUARKUS-3754 - Improve response filter documentation
• QUARKUS-3755 - Fix grammar error in OIDC and Bootstrap JavaDocs
• QUARKUS-3756 - Keycloak DevService: Improve error messages and documentation
• QUARKUS-3731 - Refactor Hibernate config mapping to use groups instead of dotted names (take 2)

CVE

• CVE-2023-39410
• CVE-2023-43642

参考資料

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=3.2.9
• https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.2/
• https://access.redhat.com/articles/4966181#RHBQ_3_2_x