-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0883
Red Hat Integration Tech-Preview 3 Camel K security update
12 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Integration Tech-Preview 3 Camel K
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-25649 CVE-2020-13956 CVE-2020-13946
Reference: ESB-2021.0598
ESB-2021.0379
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0811
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat Integration Tech-Preview 3 Camel K security update
Advisory ID: RHSA-2021:0811-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0811
Issue date: 2021-03-11
Keywords: fuse
CVE Names: CVE-2020-13946 CVE-2020-13956 CVE-2020-25649
=====================================================================
1. Summary:
An update to the Camel K operator image for Red Hat Integration
tech-preview is now available. The purpose of this text-only errata is to
inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
This release of Red Hat Integration - Camel K - Tech-Preview 3 serves as a
replacement for tech-preview 2, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.
Security Fix(es):
* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is
vulnerable to XML external entity (XXE) (CVE-2020-25649)
* cassandra: allows manipulation of the RMI registry to perform a MITM
attack and capture user names and passwords used to access the JMX
interface (CVE-2020-13946)
* apache-httpclient: incorrect handling of malformed authority component in
request URIs (CVE-2020-13956)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1875830 - CVE-2020-13946 cassandra: allows manipulation of the RMI registry to perform a MITM attack and capture user names and passwords used to access the JMX interface
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
5. References:
https://access.redhat.com/security/cve/CVE-2020-13946
https://access.redhat.com/security/cve/CVE-2020-13956
https://access.redhat.com/security/cve/CVE-2020-25649
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_integration/2021.q1/html-single/release_notes_for_red_hat_integration_2021.q1
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYEpYr9zjgjWX9erEAQg+tg/+JACoMEuY7tXs0SZd8SFeLgg4h9Zz2txG
IqQ+IamXNHsEITUntC2aux58wz0T7LajDIfUZvrlYtyBPYOC+0ej3f7k7DDu6xYM
62txbRYGeWYCQmgJKzZEcz1aaSuEBg0+elJyMz0WpMXuDHwOXsu0O6sITT1Q14mj
vMqsQCH+NgGLOjbqGrk9Y1EolfmgJ/pL1d3011Bm1/fJ1n0yXwj/q4sxgaXc30+g
K7817SCnp7H+NP/b6HnjxpZ+MpIijtGcAXIVV/lGp7cmz0a6QP8bIY8BDA/KuAYu
oeO6jRzNfLk+RQ+qwMBFX1hUb/wRS7VDTkjO1poeFKhEBuqi6lshYl9sOaZsQ0Bd
zq4buG5/PKuqEcudv7ClbLIf8Ls3RJym6phzztpxegqBx3mZqcL9uAfgdms1gkta
d7uZdIyATkBFs1uWlvhg4TWxKwFbCSok5w19btOSXTm2ssNtQJajSnWVF6/HD2Jy
5TbSkuwCZNl3NevLn0oC04Adm/k/KoPkLE20H5d1lLT+AIh80SXcfi6GBDq3eTXU
eeWoRBYd1S1tuuB65Nl9XyJtYEvyfnxH3CQg0QOQ8G1KV7Vsdaaf/qlqPuDrrlFa
kJixFJtZoiUiEe+mEU2GSZPADMaE8rJbjEeJpNgRdvL6oIovwpQPEVRjq/alJm7X
N+BCQ4ggO/E=
=ERpK
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYEqtxONLKJtyKPYoAQgcyhAAhatQoULM5Uv+A/JDwOtfbO2HTNqtm8hW
lZ/kVbSYOV105m9svuhNFCl0zofkY6Jsz9hqZgvyGiNVvIkI7QcVVsSSimGzg+U7
rgGiNAjlwNm83SqIP0Fon+NAqJDv2wbyMi2ouN8eyrntvCozuBGxpSdlw963qu6/
Ll9V9Ew+rnZOZab0CHrnKEowxLX65lCCAk0pdWEEjswbO/pnMUxF5ciKzff1sGH9
mjRw3raSKr6GrN8CIsBJU5u0SaB57DagfEs3PTPIdJfCcK86D3ZX10+2QbGbvdYj
QCxQJvGPkMeB2FDjN4GEuB3okKT0te7HsyN40iKZWXhaX3qo8oHycvuWmv4cB1Dt
593/GDGBwj8oI71Ly2RpZ24e+kJAdmKfvS/od5/w9kdWIWAH3G3a5fXa3VuSNwOa
+nWxJlyFM0BUMgm/lQ+aeeWrNI83sWEAdqGEC3/I2U+lW7eH+GC9xJI4n5OEotff
ZDIvUuzjGMMm7k6jqGPVP3Ec1hJ84vY3N+YFbYcQbi+WsjQ3J5YuCAAnXNQIp8mK
ljtLAW4eOxNQLBiskuVFPP2lCpJZ5+IW1UUXk+5MK7gXzR8fl0gXV5K9x+aSduqK
IUH1yF5w8cWVIXv5QFY7EmeugxOKXry2ispX6HlCQtlK9kZ69MTJ6mSLhsE3f4Mm
niJhQiEyxeU=
=bIY4
-----END PGP SIGNATURE-----
The post ESB-2021.0883 – [RedHat] Red Hat Integration Tech-Preview 3 Camel K: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/03/12/esb-2021-0883-redhat-red-hat-integration-tech-preview-3-camel-k-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-0883-redhat-red-hat-integration-tech-preview-3-camel-k-multiple-vulnerabilities
No comments:
Post a Comment