rhsa-2024_7861
Vulnerability from csaf_redhat
Published
2024-10-09 12:35
Modified
2024-12-04 22:56
Summary
Red Hat Security Advisory: Apicurio Registry (container images) release and security update [ 2.6.5 GA ]

Notes

Topic
An update to the images for Red Hat build of Apicurio Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat build of Apicurio Registry 2.6.5 GA includes the following security fixes. Security Fix(es): * org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) [rhint-serv-2] (CVE-2024-47561)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update to the images for Red Hat build of Apicurio Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat build of Apicurio Registry 2.6.5 GA includes the following security fixes.\n\nSecurity Fix(es):\n\n* org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) [rhint-serv-2] (CVE-2024-47561)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:7861",
        "url": "https://access.redhat.com/errata/RHSA-2024:7861"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_apicurio_registry/2.6",
        "url": "https://docs.redhat.com/en/documentation/red_hat_build_of_apicurio_registry/2.6"
      },
      {
        "category": "external",
        "summary": "2316116",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7861.json"
      }
    ],
    "title": "Red Hat Security Advisory: Apicurio Registry (container images) release and security update [ 2.6.5 GA ]",
    "tracking": {
      "current_release_date": "2024-12-04T22:56:56+00:00",
      "generator": {
        "date": "2024-12-04T22:56:56+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.2"
        }
      },
      "id": "RHSA-2024:7861",
      "initial_release_date": "2024-10-09T12:35:14+00:00",
      "revision_history": [
        {
          "date": "2024-10-09T12:35:14+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-10-09T12:35:14+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-04T22:56:56+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Apicurio Registry 2.6.5 GA",
                "product": {
                  "name": "Red Hat build of Apicurio Registry 2.6.5 GA",
                  "product_id": "Red Hat build of Apicurio Registry 2.6.5 GA",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:apicurio_registry:2.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47561",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2024-10-02T14:04:06.018000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316116"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\n\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apicurio Registry 2.6.5 GA"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47561"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316116",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47561",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561"
        }
      ],
      "release_date": "2024-10-03T12:20:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-09T12:35:14+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apicurio Registry 2.6.5 GA"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7861"
        },
        {
          "category": "workaround",
          "details": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits.",
          "product_ids": [
            "Red Hat build of Apicurio Registry 2.6.5 GA"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apicurio Registry 2.6.5 GA"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.