rhsa-2021_4012
Vulnerability from csaf_redhat
Published
2021-10-28 07:52
Modified
2024-11-15 08:44
Summary
Red Hat Security Advisory: Red Hat support for Spring Boot 2.4.9 security update

Notes

Topic
An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.4.9 serves as a replacement for Red Hat support for Spring Boot 2.3.10 and includes security, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943) * tomcat: HTTP/2 request header mix-up (CVE-2020-17527) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat support for Spring Boot.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.4.9 serves as a replacement for Red Hat support for Spring Boot 2.3.10 and includes security, bug fixes, and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)\n\n* tomcat: HTTP/2 request header mix-up (CVE-2020-17527)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2021:4012",
        "url": "https://access.redhat.com/errata/RHSA-2021:4012"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.spring.boot\u0026version=2.4.9",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.spring.boot\u0026version=2.4.9"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.4/html/release_notes_for_spring_boot_2.4/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.4/html/release_notes_for_spring_boot_2.4/index"
      },
      {
        "category": "external",
        "summary": "1887648",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887648"
      },
      {
        "category": "external",
        "summary": "1904221",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904221"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4012.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat support for Spring Boot 2.4.9 security update",
    "tracking": {
      "current_release_date": "2024-11-15T08:44:22+00:00",
      "generator": {
        "date": "2024-11-15T08:44:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2021:4012",
      "initial_release_date": "2021-10-28T07:52:17+00:00",
      "revision_history": [
        {
          "date": "2021-10-28T07:52:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2021-10-28T07:52:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T08:44:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Support for Spring Boot 2.4.9",
                "product": {
                  "name": "Red Hat Support for Spring Boot 2.4.9",
                  "product_id": "Red Hat Support for Spring Boot 2.4.9",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Application Runtimes"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-13943",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2020-10-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1887648"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Tomcat. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. The highest threat from this vulnerability is to data confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: Apache Tomcat HTTP/2 Request mix-up",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Enterprise Linux 8\u0027s Identity Management is using an affected version of Tomcat bundled within PKI servlet engine, however HTTP/2 protocol is not supported by this component.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Support for Spring Boot 2.4.9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-13943"
        },
        {
          "category": "external",
          "summary": "RHBZ#1887648",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887648"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13943",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-13943"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13943",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13943"
        },
        {
          "category": "external",
          "summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E",
          "url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M8",
          "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M8"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.58",
          "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.58"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38",
          "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38"
        }
      ],
      "release_date": "2020-10-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-10-28T07:52:17+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
          "product_ids": [
            "Red Hat Support for Spring Boot 2.4.9"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2021:4012"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Support for Spring Boot 2.4.9"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tomcat: Apache Tomcat HTTP/2 Request mix-up"
    },
    {
      "cve": "CVE-2020-17527",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2020-12-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1904221"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: HTTP/2 request header mix-up",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Enterprise Linux 8\u0027s Identity Management and Certificate System are using a vulnerable version of Tomcat that is bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. A future update may fix the code.\n\nRed Hat Enterprise Linux 7\u0027s tomcat package, Identity Management, and Certificate System are all not affected by this flaw because HTTP/2 is not supported in the shipped version of tomcat in those packages.\n\ntomcat5 and tomcat6 in Red Hat Enterprise Linux 5 and 6 (respectively) are not affected by this flaw because HTTP/2 is not supported in the shipped versions of those packages.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Support for Spring Boot 2.4.9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-17527"
        },
        {
          "category": "external",
          "summary": "RHBZ#1904221",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904221"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-17527",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-17527"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-17527",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17527"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M10",
          "url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M10"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60",
          "url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60"
        },
        {
          "category": "external",
          "summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40",
          "url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40"
        }
      ],
      "release_date": "2020-12-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-10-28T07:52:17+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
          "product_ids": [
            "Red Hat Support for Spring Boot 2.4.9"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2021:4012"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Support for Spring Boot 2.4.9"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tomcat: HTTP/2 request header mix-up"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.