Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2021:2139: Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update

A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Red Hat Data Grid is a distributed, in-memory data store. This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):

  • Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)
  • XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)
  • XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)
  • XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)
  • XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)
  • XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)
  • Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)
  • XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)
  • XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)
  • netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
  • netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
  • XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)
  • XStream: SSRF via crafted input stream (CVE-2021-21342)
  • XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)
  • XStream: ReDoS vulnerability (CVE-2021-21348)
  • XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)
  • XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)
  • netty: Request smuggling via content-length header (CVE-2021-21409) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
  • CVE-2020-10771: Infinispan: Actions with effects should not be permitted via GET requests using REST API
  • CVE-2020-26258: XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
  • CVE-2020-26259: XStream: arbitrary file deletion on the local host when unmarshalling
  • CVE-2021-21290: netty: Information disclosure via the local system temporary directory
  • CVE-2021-21295: netty: possible request smuggling in HTTP/2 due missing validation
  • CVE-2021-21341: XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
  • CVE-2021-21342: XStream: SSRF via crafted input stream
  • CVE-2021-21343: XStream: arbitrary file deletion on the local host via crafted input stream
  • CVE-2021-21344: XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
  • CVE-2021-21345: XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
  • CVE-2021-21346: XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
  • CVE-2021-21347: XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
  • CVE-2021-21348: XStream: ReDoS vulnerability
  • CVE-2021-21349: XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  • CVE-2021-21350: XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
  • CVE-2021-21351: XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
  • CVE-2021-21409: netty: Request smuggling via content-length header
  • CVE-2021-31917: Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism
Red Hat Security Data
Open in Source
#sql#vulnerability#red_hat#apache#java

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data