Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: Red Hat Integration Camel-K 1.8 security update

Related Vulnerabilities: CVE-2020-9492   CVE-2020-27223   CVE-2020-36518   CVE-2021-2471   CVE-2021-3520   CVE-2021-3629   CVE-2021-20289   CVE-2021-22132   CVE-2021-22137   CVE-2021-28163   CVE-2021-28164   CVE-2021-28165   CVE-2021-37714   CVE-2021-38153   CVE-2021-40690  

Source

Synopsis

Moderate: Red Hat Integration Camel-K 1.8 security update

Type/Severity

Security Advisory: Moderate

Topic

A minor version update is now available for Red Hat Integration Camel K. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section.

Security Fix(es):

  • hadoop: WebHDFS client might send SPNEGO authorization header (CVE-2020-9492)
  • jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS (CVE-2020-27223)
  • jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
  • mysql-connector-java: unauthorized access to critical (CVE-2021-2471)
  • lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
  • undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)
  • elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure (CVE-2021-22132)
  • jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
  • jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
  • jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
  • jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)
  • Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153)
  • xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)
  • resteasy: Error message exposes endpoint class information (CVE-2021-20289)
  • elasticsearch: Document disclosure flaw when Document or Field Level Security is used (CVE-2021-22137)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Integration Text-Only Advisories x86_64

Fixes

  • BZ - 1923181 - CVE-2021-22132 elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure
  • BZ - 1925237 - CVE-2020-9492 hadoop: WebHDFS client might send SPNEGO authorization header
  • BZ - 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
  • BZ - 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information
  • BZ - 1943189 - CVE-2021-22137 elasticsearch: Document disclosure flaw when Document or Field Level Security is used
  • BZ - 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
  • BZ - 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
  • BZ - 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
  • BZ - 1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument
  • BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
  • BZ - 1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
  • BZ - 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
  • BZ - 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
  • BZ - 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
  • BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started