Important: Red Hat build of Quarkus 2.13.9 release and security update

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 2.13.9 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.

Security Fix(es):

• CVE-2023-31582 org.bitbucket.b_c/jose4j: jose4j: Insecure iteration count setting [quarkus-2]
• CVE-2023-39410 org.apache.avro/avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK [quarkus-2]
• CVE-2023-43642 org.xerial.snappy/snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact [quarkus-2]
• CVE-2023-35887 org.apache.sshd/sshd-common: apache-mina-sshd: information exposure in SFTP server implementations [quarkus-2]
• CVE-2023-34453 org.xerial.snappy/snappy-java: snappy-java: Integer overflow in shuffle leads to DoS [quarkus-2]
• CVE-2023-34454 org.xerial.snappy/snappy-java: snappy-java: Integer overflow in compress leads to DoS [quarkus-2]
• CVE-2023-2976 com.google.guava/guava: guava: insecure temporary directory creation [quarkus-2]
• CVE-2023-34462 io.netty/netty-handler: netty: SniHandler 16MB allocation leads to OOM [quarkus-2]
• CVE-2023-34455 org.xerial.snappy/snappy-java: snappy-java: Unchecked chunk length leads to DoS [quarkus-2]
• CVE-2023-6393 io.quarkus/quarkus-cache: quarkus: Potential invalid reuse of context when @CacheResult on a Uni is used [quarkus-2.13]

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Build of Quarkus Text-Only Advisories x86_64

Fixes

• BZ - 2215229 - CVE-2023-2976 guava: insecure temporary directory creation
• BZ - 2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
• BZ - 2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
• BZ - 2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
• BZ - 2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
• BZ - 2240036 - CVE-2023-35887 apache-mina-sshd: information exposure in SFTP server implementations
• BZ - 2241722 - CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact
• BZ - 2242521 - CVE-2023-39410 apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
• BZ - 2246370 - CVE-2023-31582 jose4j: Insecure iteration count setting
• BZ - 2253113 - CVE-2023-6393 quarkus: Potential invalid reuse of context when @CacheResult on a Uni is used
• QUARKUS-3781 - [2.13] Handle duplicated context in the CacheResultInterceptor
• QUARKUS-3782 - (2.13) graphql websocket fixes
• QUARKUS-3785 - Add smallrye-jwt test confirming RSA-OAEP encrypted token with RSA 1_5 set in headers is rejected
• QUARKUS-3787 - Prevent ContextNotActiveException during invalid config validation if resteasy-reactive module is present

CVEs

• CVE-2023-2976
• CVE-2023-6393
• CVE-2023-31582
• CVE-2023-34453
• CVE-2023-34454
• CVE-2023-34455
• CVE-2023-34462
• CVE-2023-35887
• CVE-2023-39410
• CVE-2023-43642

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/
• https://access.redhat.com/articles/4966181