Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2021-31917
Vulnerability from cvelistv5
Published
2021-09-21 10:33
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Red Hat DataGrid and Infinispan |
Version: Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0) |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:10:31.025Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://access.redhat.com/security/cve/cve-2021-31917", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Red Hat DataGrid and Infinispan", vendor: "n/a", versions: [ { status: "affected", version: "Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0)", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-21T10:33:41", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://access.redhat.com/security/cve/cve-2021-31917", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-31917", datePublished: "2021-09-21T10:33:41", dateReserved: "2021-04-29T00:00:00", dateUpdated: "2024-08-03T23:10:31.025Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"10.0.0\", \"versionEndExcluding\": \"11.0.12\", \"matchCriteriaId\": \"978D52A4-54C9-4313-865C-5A25418310E2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"12.0.0\", \"versionEndExcluding\": \"12.1.4\", \"matchCriteriaId\": \"37A73FF1-F87A-4F7F-8397-A0CDE0CC819E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3311F2A9-C028-4765-BF79-BC370D15550C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:data_grid:8.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C8C10C1A-33B4-49F6-8137-511BB641739D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:data_grid:8.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8F7608B9-936C-4804-94FE-BF886F8878E0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:data_grid:8.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD402A4C-299D-494B-8EB8-557DB5072CD4\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado un fallo en Red Hat DataGrid versiones 8.x (8.0.0, 8.0.1, 8.1.0 y 8.1.1) e Infinispan (10.0.0 a 12.0.0). Un atacante podr\\u00eda omitir la autenticaci\\u00f3n en todos los REST endpoints cuando es usado DIGEST como m\\u00e9todo de autenticaci\\u00f3n. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, as\\u00ed como la disponibilidad del sistema\"}]", id: "CVE-2021-31917", lastModified: "2024-11-21T06:06:30.433", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2021-09-21T11:15:07.953", references: "[{\"url\": \"https://access.redhat.com/security/cve/cve-2021-31917\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://access.redhat.com/security/cve/cve-2021-31917\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2021-31917\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2021-09-21T11:15:07.953\",\"lastModified\":\"2024-11-21T06:06:30.433\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un fallo en Red Hat DataGrid versiones 8.x (8.0.0, 8.0.1, 8.1.0 y 8.1.1) e Infinispan (10.0.0 a 12.0.0). Un atacante podría omitir la autenticación en todos los REST endpoints cuando es usado DIGEST como método de autenticación. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"11.0.12\",\"matchCriteriaId\":\"978D52A4-54C9-4313-865C-5A25418310E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.1.4\",\"matchCriteriaId\":\"37A73FF1-F87A-4F7F-8397-A0CDE0CC819E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3311F2A9-C028-4765-BF79-BC370D15550C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:data_grid:8.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8C10C1A-33B4-49F6-8137-511BB641739D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:data_grid:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F7608B9-936C-4804-94FE-BF886F8878E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:data_grid:8.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD402A4C-299D-494B-8EB8-557DB5072CD4\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/cve-2021-31917\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/cve-2021-31917\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}", }, }
gsd-2021-31917
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Aliases
Aliases
{ GSD: { alias: "CVE-2021-31917", description: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", id: "GSD-2021-31917", references: [ "https://access.redhat.com/errata/RHSA-2021:2139", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2021-31917", ], details: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", id: "GSD-2021-31917", modified: "2023-12-13T01:23:13.364931Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-31917", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Red Hat DataGrid and Infinispan", version: { version_data: [ { version_affected: "=", version_value: "Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0)", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", }, ], }, problemtype: { problemtype_data: [ { description: [ { cweId: "CWE-287", lang: "eng", value: "CWE-287", }, ], }, ], }, references: { reference_data: [ { name: "https://access.redhat.com/security/cve/cve-2021-31917", refsource: "MISC", url: "https://access.redhat.com/security/cve/cve-2021-31917", }, ], }, }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "11.0.12", versionStartIncluding: "10.0.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "12.1.4", versionStartIncluding: "12.0.0", vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:redhat:data_grid:8.0.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:redhat:data_grid:8.1.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:redhat:data_grid:8.1.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-31917", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-287", }, ], }, ], }, references: { reference_data: [ { name: "https://access.redhat.com/security/cve/cve-2021-31917", refsource: "MISC", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/cve-2021-31917", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "HIGH", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, }, }, lastModifiedDate: "2022-01-11T16:21Z", publishedDate: "2021-09-21T11:15Z", }, }, }
RHSA-2021:2139
Vulnerability from csaf_redhat
Published
2021-05-26 21:49
Modified
2025-04-09 17:58
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update
Notes
Topic
A security update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is a distributed, in-memory data store.
This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)
* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)
* XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)
* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)
* XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)
* XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)
* Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)
* XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)
* XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)
* XStream: SSRF via crafted input stream (CVE-2021-21342)
* XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)
* XStream: ReDoS vulnerability (CVE-2021-21348)
* XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)
* XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)
* netty: Request smuggling via content-length header (CVE-2021-21409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A security update for Red Hat Data Grid is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Data Grid is a distributed, in-memory data store.\n\nThis release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)\n\n* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)\n\n* XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)\n\n* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)\n\n* XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)\n\n* XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)\n\n* Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)\n\n* XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)\n\n* XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)\n\n* XStream: SSRF via crafted input stream (CVE-2021-21342)\n\n* XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)\n\n* XStream: ReDoS vulnerability (CVE-2021-21348)\n\n* XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)\n\n* XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:2139", url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#critical", url: "https://access.redhat.com/security/updates/classification/#critical", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", }, { category: "external", summary: "1846293", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1846293", }, { category: "external", summary: "1908832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908832", }, { category: "external", summary: "1908837", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908837", }, { category: "external", summary: "1927028", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028", }, { category: "external", summary: "1937364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364", }, { category: "external", summary: "1942539", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942539", }, { category: "external", summary: "1942545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942545", }, { category: "external", summary: "1942550", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942550", }, { category: "external", summary: "1942554", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942554", }, { category: "external", summary: "1942558", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942558", }, { category: "external", summary: "1942578", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942578", }, { category: "external", summary: "1942629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942629", }, { category: "external", summary: "1942633", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942633", }, { category: "external", summary: "1942635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942635", }, { category: "external", summary: "1942637", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942637", }, { category: "external", summary: "1942642", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942642", }, { category: "external", summary: "1944888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888", }, { category: "external", summary: "1955113", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1955113", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2139.json", }, ], title: "Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update", tracking: { current_release_date: "2025-04-09T17:58:43+00:00", generator: { date: "2025-04-09T17:58:43+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2021:2139", initial_release_date: "2021-05-26T21:49:45+00:00", revision_history: [ { date: "2021-05-26T21:49:45+00:00", number: "1", summary: "Initial version", }, { date: "2021-05-26T21:49:45+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T17:58:43+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Data Grid 8.2.0", product: { name: "Red Hat Data Grid 8.2.0", product_id: "Red Hat Data Grid 8.2.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Diego Lovison", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2020-10771", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-03-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1846293", }, ], notes: [ { category: "description", text: "A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack.", title: "Vulnerability description", }, { category: "summary", text: "infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10771", }, { category: "external", summary: "RHBZ#1846293", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1846293", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10771", url: "https://www.cve.org/CVERecord?id=CVE-2020-10771", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10771", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10771", }, ], release_date: "2020-06-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API", }, { cve: "CVE-2020-26258", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2020-12-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1908832", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-26258", }, { category: "external", summary: "RHBZ#1908832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-26258", url: "https://www.cve.org/CVERecord?id=CVE-2020-26258", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-26258", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-26258", }, ], release_date: "2020-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "workaround", details: "As recommended, use XStream's security framework to implement a whitelist for the allowed types.\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern.\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n || type == java.lang.Void.class || void.class || Proxy.isProxy(type)\n || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);", product_ids: [ "Red Hat Data Grid 8.2.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling", }, { cve: "CVE-2020-26259", cwe: { id: "CWE-78", name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, discovery_date: "2020-12-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1908837", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "Vulnerability description", }, { category: "summary", text: "XStream: arbitrary file deletion on the local host when unmarshalling", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-26259", }, { category: "external", summary: "RHBZ#1908837", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908837", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-26259", url: "https://www.cve.org/CVERecord?id=CVE-2020-26259", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-26259", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-26259", }, ], release_date: "2020-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "workaround", details: "As recommended, use XStream's security framework to implement a whitelist for the allowed types.\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern.\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n || type == java.lang.Void.class || void.class || Proxy.isProxy(type)\n || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);", product_ids: [ "Red Hat Data Grid 8.2.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: arbitrary file deletion on the local host when unmarshalling", }, { cve: "CVE-2021-21290", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2021-02-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1927028", }, ], notes: [ { category: "description", text: "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "netty: Information disclosure via the local system temporary directory", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21290", }, { category: "external", summary: "RHBZ#1927028", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21290", url: "https://www.cve.org/CVERecord?id=CVE-2021-21290", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", }, ], release_date: "2021-02-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Information disclosure via the local system temporary directory", }, { cve: "CVE-2021-21295", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2021-03-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1937364", }, ], notes: [ { category: "description", text: "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.", title: "Vulnerability description", }, { category: "summary", text: "netty: possible request smuggling in HTTP/2 due missing validation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21295", }, { category: "external", summary: "RHBZ#1937364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21295", url: "https://www.cve.org/CVERecord?id=CVE-2021-21295", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, ], release_date: "2021-03-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: possible request smuggling in HTTP/2 due missing validation", }, { cve: "CVE-2021-21341", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942539", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21341", }, { category: "external", summary: "RHBZ#1942539", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942539", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21341", url: "https://www.cve.org/CVERecord?id=CVE-2021-21341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21341", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21341", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream", }, { cve: "CVE-2021-21342", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942545", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: SSRF via crafted input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21342", }, { category: "external", summary: "RHBZ#1942545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942545", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21342", url: "https://www.cve.org/CVERecord?id=CVE-2021-21342", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21342", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21342", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: SSRF via crafted input stream", }, { cve: "CVE-2021-21343", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942550", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: arbitrary file deletion on the local host via crafted input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21343", }, { category: "external", summary: "RHBZ#1942550", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942550", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21343", url: "https://www.cve.org/CVERecord?id=CVE-2021-21343", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21343", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21343", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: arbitrary file deletion on the local host via crafted input stream", }, { cve: "CVE-2021-21344", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942554", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21344", }, { category: "external", summary: "RHBZ#1942554", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942554", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21344", url: "https://www.cve.org/CVERecord?id=CVE-2021-21344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21344", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21344", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet", }, { cve: "CVE-2021-21345", cwe: { id: "CWE-94", name: "Improper Control of Generation of Code ('Code Injection')", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942558", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker, who has sufficient rights, can execute commands of the host by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21345", }, { category: "external", summary: "RHBZ#1942558", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942558", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21345", url: "https://www.cve.org/CVERecord?id=CVE-2021-21345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21345", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21345", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry", }, { cve: "CVE-2021-21346", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942578", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker can load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21346", }, { category: "external", summary: "RHBZ#1942578", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942578", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21346", url: "https://www.cve.org/CVERecord?id=CVE-2021-21346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21346", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21346", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue", }, { cve: "CVE-2021-21347", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942629", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21347", }, { category: "external", summary: "RHBZ#1942629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942629", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21347", url: "https://www.cve.org/CVERecord?id=CVE-2021-21347", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21347", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21347", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator", }, { cve: "CVE-2021-21348", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942633", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: ReDoS vulnerability", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21348", }, { category: "external", summary: "RHBZ#1942633", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942633", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21348", url: "https://www.cve.org/CVERecord?id=CVE-2021-21348", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21348", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21348", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: ReDoS vulnerability", }, { cve: "CVE-2021-21349", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942635", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21349", }, { category: "external", summary: "RHBZ#1942635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21349", url: "https://www.cve.org/CVERecord?id=CVE-2021-21349", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21349", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21349", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", }, { cve: "CVE-2021-21350", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942637", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to execute arbitrary code only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21350", }, { category: "external", summary: "RHBZ#1942637", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942637", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21350", url: "https://www.cve.org/CVERecord?id=CVE-2021-21350", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21350", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21350", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader", }, { cve: "CVE-2021-21351", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942642", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21351", }, { category: "external", summary: "RHBZ#1942642", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942642", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21351", url: "https://www.cve.org/CVERecord?id=CVE-2021-21351", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21351", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21351", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream", }, { cve: "CVE-2021-21409", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2021-03-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1944888", }, ], notes: [ { category: "description", text: "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", title: "Vulnerability description", }, { category: "summary", text: "netty: Request smuggling via content-length header", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21409", }, { category: "external", summary: "RHBZ#1944888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21409", url: "https://www.cve.org/CVERecord?id=CVE-2021-21409", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, ], release_date: "2021-03-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Request smuggling via content-length header", }, { acknowledgments: [ { names: [ "Ryan Emerson", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2021-31917", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2021-04-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1955113", }, ], notes: [ { category: "description", text: "A flaw was found in Red Hat DataGrid and Infinispan. An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-31917", }, { category: "external", summary: "RHBZ#1955113", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1955113", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-31917", url: "https://www.cve.org/CVERecord?id=CVE-2021-31917", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", }, ], release_date: "2021-05-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism", }, ], }
rhsa-2021_2139
Vulnerability from csaf_redhat
Published
2021-05-26 21:49
Modified
2024-11-24 21:27
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update
Notes
Topic
A security update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is a distributed, in-memory data store.
This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)
* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)
* XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)
* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)
* XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)
* XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)
* Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)
* XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)
* XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)
* XStream: SSRF via crafted input stream (CVE-2021-21342)
* XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)
* XStream: ReDoS vulnerability (CVE-2021-21348)
* XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)
* XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)
* netty: Request smuggling via content-length header (CVE-2021-21409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A security update for Red Hat Data Grid is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Data Grid is a distributed, in-memory data store.\n\nThis release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)\n\n* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)\n\n* XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)\n\n* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)\n\n* XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)\n\n* XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)\n\n* Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)\n\n* XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)\n\n* XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)\n\n* XStream: SSRF via crafted input stream (CVE-2021-21342)\n\n* XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)\n\n* XStream: ReDoS vulnerability (CVE-2021-21348)\n\n* XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)\n\n* XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:2139", url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#critical", url: "https://access.redhat.com/security/updates/classification/#critical", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", }, { category: "external", summary: "1846293", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1846293", }, { category: "external", summary: "1908832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908832", }, { category: "external", summary: "1908837", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908837", }, { category: "external", summary: "1927028", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028", }, { category: "external", summary: "1937364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364", }, { category: "external", summary: "1942539", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942539", }, { category: "external", summary: "1942545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942545", }, { category: "external", summary: "1942550", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942550", }, { category: "external", summary: "1942554", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942554", }, { category: "external", summary: "1942558", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942558", }, { category: "external", summary: "1942578", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942578", }, { category: "external", summary: "1942629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942629", }, { category: "external", summary: "1942633", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942633", }, { category: "external", summary: "1942635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942635", }, { category: "external", summary: "1942637", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942637", }, { category: "external", summary: "1942642", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942642", }, { category: "external", summary: "1944888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888", }, { category: "external", summary: "1955113", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1955113", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2139.json", }, ], title: "Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update", tracking: { current_release_date: "2024-11-24T21:27:50+00:00", generator: { date: "2024-11-24T21:27:50+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2021:2139", initial_release_date: "2021-05-26T21:49:45+00:00", revision_history: [ { date: "2021-05-26T21:49:45+00:00", number: "1", summary: "Initial version", }, { date: "2021-05-26T21:49:45+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-24T21:27:50+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Data Grid 8.2.0", product: { name: "Red Hat Data Grid 8.2.0", product_id: "Red Hat Data Grid 8.2.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Diego Lovison", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2020-10771", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-03-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1846293", }, ], notes: [ { category: "description", text: "A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack.", title: "Vulnerability description", }, { category: "summary", text: "infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10771", }, { category: "external", summary: "RHBZ#1846293", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1846293", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10771", url: "https://www.cve.org/CVERecord?id=CVE-2020-10771", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10771", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10771", }, ], release_date: "2020-06-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API", }, { cve: "CVE-2020-26258", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2020-12-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1908832", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-26258", }, { category: "external", summary: "RHBZ#1908832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-26258", url: "https://www.cve.org/CVERecord?id=CVE-2020-26258", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-26258", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-26258", }, ], release_date: "2020-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "workaround", details: "As recommended, use XStream's security framework to implement a whitelist for the allowed types.\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern.\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n || type == java.lang.Void.class || void.class || Proxy.isProxy(type)\n || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);", product_ids: [ "Red Hat Data Grid 8.2.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling", }, { cve: "CVE-2020-26259", cwe: { id: "CWE-78", name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, discovery_date: "2020-12-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1908837", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "Vulnerability description", }, { category: "summary", text: "XStream: arbitrary file deletion on the local host when unmarshalling", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-26259", }, { category: "external", summary: "RHBZ#1908837", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908837", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-26259", url: "https://www.cve.org/CVERecord?id=CVE-2020-26259", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-26259", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-26259", }, ], release_date: "2020-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "workaround", details: "As recommended, use XStream's security framework to implement a whitelist for the allowed types.\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern.\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n || type == java.lang.Void.class || void.class || Proxy.isProxy(type)\n || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);", product_ids: [ "Red Hat Data Grid 8.2.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: arbitrary file deletion on the local host when unmarshalling", }, { cve: "CVE-2021-21290", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2021-02-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1927028", }, ], notes: [ { category: "description", text: "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "netty: Information disclosure via the local system temporary directory", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21290", }, { category: "external", summary: "RHBZ#1927028", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21290", url: "https://www.cve.org/CVERecord?id=CVE-2021-21290", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", }, ], release_date: "2021-02-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Information disclosure via the local system temporary directory", }, { cve: "CVE-2021-21295", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2021-03-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1937364", }, ], notes: [ { category: "description", text: "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.", title: "Vulnerability description", }, { category: "summary", text: "netty: possible request smuggling in HTTP/2 due missing validation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21295", }, { category: "external", summary: "RHBZ#1937364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21295", url: "https://www.cve.org/CVERecord?id=CVE-2021-21295", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, ], release_date: "2021-03-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: possible request smuggling in HTTP/2 due missing validation", }, { cve: "CVE-2021-21341", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942539", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21341", }, { category: "external", summary: "RHBZ#1942539", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942539", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21341", url: "https://www.cve.org/CVERecord?id=CVE-2021-21341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21341", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21341", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream", }, { cve: "CVE-2021-21342", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942545", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: SSRF via crafted input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21342", }, { category: "external", summary: "RHBZ#1942545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942545", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21342", url: "https://www.cve.org/CVERecord?id=CVE-2021-21342", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21342", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21342", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: SSRF via crafted input stream", }, { cve: "CVE-2021-21343", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942550", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: arbitrary file deletion on the local host via crafted input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21343", }, { category: "external", summary: "RHBZ#1942550", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942550", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21343", url: "https://www.cve.org/CVERecord?id=CVE-2021-21343", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21343", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21343", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: arbitrary file deletion on the local host via crafted input stream", }, { cve: "CVE-2021-21344", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942554", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21344", }, { category: "external", summary: "RHBZ#1942554", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942554", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21344", url: "https://www.cve.org/CVERecord?id=CVE-2021-21344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21344", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21344", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet", }, { cve: "CVE-2021-21345", cwe: { id: "CWE-94", name: "Improper Control of Generation of Code ('Code Injection')", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942558", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker, who has sufficient rights, can execute commands of the host by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21345", }, { category: "external", summary: "RHBZ#1942558", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942558", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21345", url: "https://www.cve.org/CVERecord?id=CVE-2021-21345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21345", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21345", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry", }, { cve: "CVE-2021-21346", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942578", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker can load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21346", }, { category: "external", summary: "RHBZ#1942578", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942578", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21346", url: "https://www.cve.org/CVERecord?id=CVE-2021-21346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21346", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21346", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue", }, { cve: "CVE-2021-21347", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942629", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21347", }, { category: "external", summary: "RHBZ#1942629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942629", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21347", url: "https://www.cve.org/CVERecord?id=CVE-2021-21347", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21347", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21347", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator", }, { cve: "CVE-2021-21348", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942633", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: ReDoS vulnerability", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21348", }, { category: "external", summary: "RHBZ#1942633", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942633", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21348", url: "https://www.cve.org/CVERecord?id=CVE-2021-21348", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21348", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21348", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: ReDoS vulnerability", }, { cve: "CVE-2021-21349", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942635", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21349", }, { category: "external", summary: "RHBZ#1942635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21349", url: "https://www.cve.org/CVERecord?id=CVE-2021-21349", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21349", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21349", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", }, { cve: "CVE-2021-21350", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942637", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to execute arbitrary code only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21350", }, { category: "external", summary: "RHBZ#1942637", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942637", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21350", url: "https://www.cve.org/CVERecord?id=CVE-2021-21350", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21350", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21350", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader", }, { cve: "CVE-2021-21351", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942642", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21351", }, { category: "external", summary: "RHBZ#1942642", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942642", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21351", url: "https://www.cve.org/CVERecord?id=CVE-2021-21351", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21351", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21351", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream", }, { cve: "CVE-2021-21409", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2021-03-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1944888", }, ], notes: [ { category: "description", text: "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", title: "Vulnerability description", }, { category: "summary", text: "netty: Request smuggling via content-length header", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21409", }, { category: "external", summary: "RHBZ#1944888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21409", url: "https://www.cve.org/CVERecord?id=CVE-2021-21409", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, ], release_date: "2021-03-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Request smuggling via content-length header", }, { acknowledgments: [ { names: [ "Ryan Emerson", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2021-31917", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2021-04-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1955113", }, ], notes: [ { category: "description", text: "A flaw was found in Red Hat DataGrid and Infinispan. An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-31917", }, { category: "external", summary: "RHBZ#1955113", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1955113", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-31917", url: "https://www.cve.org/CVERecord?id=CVE-2021-31917", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", }, ], release_date: "2021-05-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism", }, ], }
rhsa-2021:2139
Vulnerability from csaf_redhat
Published
2021-05-26 21:49
Modified
2025-04-09 17:58
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update
Notes
Topic
A security update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is a distributed, in-memory data store.
This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)
* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)
* XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)
* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)
* XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)
* XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)
* Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)
* XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)
* XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)
* XStream: SSRF via crafted input stream (CVE-2021-21342)
* XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)
* XStream: ReDoS vulnerability (CVE-2021-21348)
* XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)
* XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)
* netty: Request smuggling via content-length header (CVE-2021-21409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A security update for Red Hat Data Grid is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Data Grid is a distributed, in-memory data store.\n\nThis release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)\n\n* XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)\n\n* XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)\n\n* XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)\n\n* XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)\n\n* XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)\n\n* Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)\n\n* XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)\n\n* XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)\n\n* XStream: SSRF via crafted input stream (CVE-2021-21342)\n\n* XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)\n\n* XStream: ReDoS vulnerability (CVE-2021-21348)\n\n* XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)\n\n* XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2021:2139", url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#critical", url: "https://access.redhat.com/security/updates/classification/#critical", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=data.grid&version=8.2", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", }, { category: "external", summary: "1846293", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1846293", }, { category: "external", summary: "1908832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908832", }, { category: "external", summary: "1908837", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908837", }, { category: "external", summary: "1927028", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028", }, { category: "external", summary: "1937364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364", }, { category: "external", summary: "1942539", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942539", }, { category: "external", summary: "1942545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942545", }, { category: "external", summary: "1942550", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942550", }, { category: "external", summary: "1942554", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942554", }, { category: "external", summary: "1942558", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942558", }, { category: "external", summary: "1942578", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942578", }, { category: "external", summary: "1942629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942629", }, { category: "external", summary: "1942633", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942633", }, { category: "external", summary: "1942635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942635", }, { category: "external", summary: "1942637", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942637", }, { category: "external", summary: "1942642", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942642", }, { category: "external", summary: "1944888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888", }, { category: "external", summary: "1955113", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1955113", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_2139.json", }, ], title: "Red Hat Security Advisory: Red Hat Data Grid 8.2.0 security update", tracking: { current_release_date: "2025-04-09T17:58:43+00:00", generator: { date: "2025-04-09T17:58:43+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2021:2139", initial_release_date: "2021-05-26T21:49:45+00:00", revision_history: [ { date: "2021-05-26T21:49:45+00:00", number: "1", summary: "Initial version", }, { date: "2021-05-26T21:49:45+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T17:58:43+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Data Grid 8.2.0", product: { name: "Red Hat Data Grid 8.2.0", product_id: "Red Hat Data Grid 8.2.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { acknowledgments: [ { names: [ "Diego Lovison", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2020-10771", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2020-03-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1846293", }, ], notes: [ { category: "description", text: "A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack.", title: "Vulnerability description", }, { category: "summary", text: "infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-10771", }, { category: "external", summary: "RHBZ#1846293", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1846293", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-10771", url: "https://www.cve.org/CVERecord?id=CVE-2020-10771", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-10771", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-10771", }, ], release_date: "2020-06-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API", }, { cve: "CVE-2020-26258", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2020-12-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1908832", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-26258", }, { category: "external", summary: "RHBZ#1908832", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908832", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-26258", url: "https://www.cve.org/CVERecord?id=CVE-2020-26258", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-26258", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-26258", }, ], release_date: "2020-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "workaround", details: "As recommended, use XStream's security framework to implement a whitelist for the allowed types.\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern.\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n || type == java.lang.Void.class || void.class || Proxy.isProxy(type)\n || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);", product_ids: [ "Red Hat Data Grid 8.2.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling", }, { cve: "CVE-2020-26259", cwe: { id: "CWE-78", name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, discovery_date: "2020-12-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1908837", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.", title: "Vulnerability description", }, { category: "summary", text: "XStream: arbitrary file deletion on the local host when unmarshalling", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-26259", }, { category: "external", summary: "RHBZ#1908837", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1908837", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-26259", url: "https://www.cve.org/CVERecord?id=CVE-2020-26259", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-26259", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-26259", }, ], release_date: "2020-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, { category: "workaround", details: "As recommended, use XStream's security framework to implement a whitelist for the allowed types.\n\nUsers of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can simply add two lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup code:\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString, java.lang.Void and void and deny several types by name pattern.\n\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n\nxstream.registerConverter(new Converter() {\n public boolean canConvert(Class type) {\n return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n || type == java.lang.Void.class || void.class || Proxy.isProxy(type)\n || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n }\n\n public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n\n public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n throw new ConversionException(\"Unsupported type due to security reasons.\");\n }\n}, XStream.PRIORITY_LOW);", product_ids: [ "Red Hat Data Grid 8.2.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: arbitrary file deletion on the local host when unmarshalling", }, { cve: "CVE-2021-21290", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2021-02-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1927028", }, ], notes: [ { category: "description", text: "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "netty: Information disclosure via the local system temporary directory", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21290", }, { category: "external", summary: "RHBZ#1927028", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1927028", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21290", url: "https://www.cve.org/CVERecord?id=CVE-2021-21290", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", }, ], release_date: "2021-02-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Information disclosure via the local system temporary directory", }, { cve: "CVE-2021-21295", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2021-03-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1937364", }, ], notes: [ { category: "description", text: "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.", title: "Vulnerability description", }, { category: "summary", text: "netty: possible request smuggling in HTTP/2 due missing validation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21295", }, { category: "external", summary: "RHBZ#1937364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1937364", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21295", url: "https://www.cve.org/CVERecord?id=CVE-2021-21295", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, ], release_date: "2021-03-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: possible request smuggling in HTTP/2 due missing validation", }, { cve: "CVE-2021-21341", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942539", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21341", }, { category: "external", summary: "RHBZ#1942539", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942539", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21341", url: "https://www.cve.org/CVERecord?id=CVE-2021-21341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21341", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21341", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream", }, { cve: "CVE-2021-21342", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942545", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: SSRF via crafted input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21342", }, { category: "external", summary: "RHBZ#1942545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942545", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21342", url: "https://www.cve.org/CVERecord?id=CVE-2021-21342", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21342", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21342", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: SSRF via crafted input stream", }, { cve: "CVE-2021-21343", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942550", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: arbitrary file deletion on the local host via crafted input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21343", }, { category: "external", summary: "RHBZ#1942550", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942550", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21343", url: "https://www.cve.org/CVERecord?id=CVE-2021-21343", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21343", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21343", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: arbitrary file deletion on the local host via crafted input stream", }, { cve: "CVE-2021-21344", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942554", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21344", }, { category: "external", summary: "RHBZ#1942554", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942554", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21344", url: "https://www.cve.org/CVERecord?id=CVE-2021-21344", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21344", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21344", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet", }, { cve: "CVE-2021-21345", cwe: { id: "CWE-94", name: "Improper Control of Generation of Code ('Code Injection')", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942558", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker, who has sufficient rights, can execute commands of the host by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21345", }, { category: "external", summary: "RHBZ#1942558", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942558", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21345", url: "https://www.cve.org/CVERecord?id=CVE-2021-21345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21345", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21345", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry", }, { cve: "CVE-2021-21346", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942578", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker can load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21346", }, { category: "external", summary: "RHBZ#1942578", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942578", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21346", url: "https://www.cve.org/CVERecord?id=CVE-2021-21346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21346", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21346", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue", }, { cve: "CVE-2021-21347", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942629", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to load and execute arbitrary code from a remote host only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21347", }, { category: "external", summary: "RHBZ#1942629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942629", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21347", url: "https://www.cve.org/CVERecord?id=CVE-2021-21347", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21347", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21347", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator", }, { cve: "CVE-2021-21348", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942633", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: ReDoS vulnerability", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21348", }, { category: "external", summary: "RHBZ#1942633", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942633", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21348", url: "https://www.cve.org/CVERecord?id=CVE-2021-21348", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21348", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21348", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: ReDoS vulnerability", }, { cve: "CVE-2021-21349", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942635", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21349", }, { category: "external", summary: "RHBZ#1942635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21349", url: "https://www.cve.org/CVERecord?id=CVE-2021-21349", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21349", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21349", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host", }, { cve: "CVE-2021-21350", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942637", }, ], notes: [ { category: "description", text: "A flaw was found in xstream. A remote attacker may be able to execute arbitrary code only by manipulating the processed input stream. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21350", }, { category: "external", summary: "RHBZ#1942637", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942637", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21350", url: "https://www.cve.org/CVERecord?id=CVE-2021-21350", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21350", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21350", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader", }, { cve: "CVE-2021-21351", cwe: { id: "CWE-434", name: "Unrestricted Upload of File with Dangerous Type", }, discovery_date: "2021-03-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1942642", }, ], notes: [ { category: "description", text: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.", title: "Vulnerability description", }, { category: "summary", text: "XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream", title: "Vulnerability summary", }, { category: "other", text: "OpenShift Container Platform (OCP) delivers Jenkins LTS package with bundled XStream library. Due to JEP-200 [1] and JEP-228 [2] Jenkins projects, OCP Jenkins package is not affected by this flaw.\n\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://github.com/jenkinsci/jep/blob/master/jep/228/README.adoc#security", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21351", }, { category: "external", summary: "RHBZ#1942642", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1942642", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21351", url: "https://www.cve.org/CVERecord?id=CVE-2021-21351", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21351", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21351", }, ], release_date: "2021-03-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream", }, { cve: "CVE-2021-21409", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2021-03-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1944888", }, ], notes: [ { category: "description", text: "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", title: "Vulnerability description", }, { category: "summary", text: "netty: Request smuggling via content-length header", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-21409", }, { category: "external", summary: "RHBZ#1944888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1944888", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-21409", url: "https://www.cve.org/CVERecord?id=CVE-2021-21409", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, ], release_date: "2021-03-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Request smuggling via content-length header", }, { acknowledgments: [ { names: [ "Ryan Emerson", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2021-31917", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2021-04-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1955113", }, ], notes: [ { category: "description", text: "A flaw was found in Red Hat DataGrid and Infinispan. An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", title: "Vulnerability description", }, { category: "summary", text: "Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid 8.2.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-31917", }, { category: "external", summary: "RHBZ#1955113", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1955113", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-31917", url: "https://www.cve.org/CVERecord?id=CVE-2021-31917", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", }, ], release_date: "2021-05-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2021-05-26T21:49:45+00:00", details: "Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Data Grid 8.2.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2021:2139", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Data Grid 8.2.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism", }, ], }
ghsa-gwqg-r7f7-jjw4
Vulnerability from github
Published
2022-05-24 19:15
Modified
2022-05-24 19:15
Details
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{ affected: [], aliases: [ "CVE-2021-31917", ], database_specific: { cwe_ids: [ "CWE-287", ], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2021-09-21T11:15:00Z", severity: "CRITICAL", }, details: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", id: "GHSA-gwqg-r7f7-jjw4", modified: "2022-05-24T19:15:23Z", published: "2022-05-24T19:15:23Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-31917", }, { type: "WEB", url: "https://access.redhat.com/security/cve/cve-2021-31917", }, ], schema_version: "1.4.0", severity: [], }
fkie_cve-2021-31917
Vulnerability from fkie_nvd
Published
2021-09-21 11:15
Modified
2024-11-21 06:06
Severity ?
Summary
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| infinispan | infinispan-server-rest | * | |
| infinispan | infinispan-server-rest | * | |
| redhat | data_grid | 8.0.0 | |
| redhat | data_grid | 8.0.1 | |
| redhat | data_grid | 8.1.0 | |
| redhat | data_grid | 8.1.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*", matchCriteriaId: "978D52A4-54C9-4313-865C-5A25418310E2", versionEndExcluding: "11.0.12", versionStartIncluding: "10.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:infinispan:infinispan-server-rest:*:*:*:*:*:*:*:*", matchCriteriaId: "37A73FF1-F87A-4F7F-8397-A0CDE0CC819E", versionEndExcluding: "12.1.4", versionStartIncluding: "12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*", matchCriteriaId: "3311F2A9-C028-4765-BF79-BC370D15550C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:data_grid:8.0.1:*:*:*:*:*:*:*", matchCriteriaId: "C8C10C1A-33B4-49F6-8137-511BB641739D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:data_grid:8.1.0:*:*:*:*:*:*:*", matchCriteriaId: "8F7608B9-936C-4804-94FE-BF886F8878E0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:data_grid:8.1.1:*:*:*:*:*:*:*", matchCriteriaId: "FD402A4C-299D-494B-8EB8-557DB5072CD4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", }, { lang: "es", value: "Se ha encontrado un fallo en Red Hat DataGrid versiones 8.x (8.0.0, 8.0.1, 8.1.0 y 8.1.1) e Infinispan (10.0.0 a 12.0.0). Un atacante podría omitir la autenticación en todos los REST endpoints cuando es usado DIGEST como método de autenticación. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema", }, ], id: "CVE-2021-31917", lastModified: "2024-11-21T06:06:30.433", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-21T11:15:07.953", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/cve-2021-31917", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/cve-2021-31917", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.