Headline
Red Hat Security Advisory 2024-7052-03
Red Hat Security Advisory 2024-7052-03 - An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Issues addressed include a denial of service vulnerability.
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7052.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA)
Advisory ID: RHSA-2024:7052-03
Product: Red Hat Build of Apache Camel
Advisory URL: https://access.redhat.com/errata/RHSA-2024:7052
Issue date: 2024-09-24
Revision: 03
CVE Names:
====================================================================
Summary:
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Description:
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
- CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in
- CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in
- CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in
- CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in
- CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in
- CVE-2024-8391 io.vertx/vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
- CVE-2024-8391 io.vertx/vertx-grpc-client: Vertx gRPC server does not limit the maximum message size
- CVE-2024-32007 org.apache.cxf/cxf-rt-rs-security-jose: apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE
- CVE-2024-41172 org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients
- CVE-2024-35255 com.azure/azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Solution:
CVEs:
References:
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/cve/CVE-2024-45294
https://access.redhat.com/security/cve/CVE-2024-8391
https://access.redhat.com/security/cve/CVE-2024-32007
https://access.redhat.com/security/cve/CVE-2024-41172
https://access.redhat.com/security/cve/CVE-2024-35255
https://bugzilla.redhat.com/show_bug.cgi?id=2295081
https://bugzilla.redhat.com/show_bug.cgi?id=2298828
https://bugzilla.redhat.com/show_bug.cgi?id=2298829
https://bugzilla.redhat.com/show_bug.cgi?id=2309758
https://bugzilla.redhat.com/show_bug.cgi?id=2310447
Related news
Red Hat Security Advisory 2024-6883-03 - Red Hat build of Apache Camel 3.20.7 for Spring Boot release and security update is now available. Issues addressed include denial of service, information leakage, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2024-6883-03 - Red Hat build of Apache Camel 3.20.7 for Spring Boot release and security update is now available. Issues addressed include denial of service, information leakage, and server-side request forgery vulnerabilities.
### Impact XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( `<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. ### Patches This issue has been patched in release 6.3.23 ### Workarounds None. ### References [MITRE CWE](https://cwe.mitre.org/data/definitions/611.html) [OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability