RHSA-2020:0727: Important: Red Hat Data Grid 7.3.3 security update
First published: Thu Mar 05 2020(Updated: )
Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.<br>This release of Red Hat Data Grid 7.3.3 serves as a replacement for Red Hat Data Grid 7.3.2 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.<br>Security Fix(es):<br><li> HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)</li> <li> HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)</li> <li> HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)</li> <li> HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)</li> <li> xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) (CVE-2019-10173)</li> <li> infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174)</li> <li> jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)</li> <li> h2: Information Exposure due to insecure handling of permissions in the backup (CVE-2018-14335)</li> <li> wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)</li> <li> undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)</li> <li> undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files (CVE-2019-10212)</li> <li> undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1610877
- https://bugzilla.redhat.com/show_bug.cgi?id=1660263
- https://bugzilla.redhat.com/show_bug.cgi?id=1693777
- https://bugzilla.redhat.com/show_bug.cgi?id=1703469
- https://bugzilla.redhat.com/show_bug.cgi?id=1713068
- https://bugzilla.redhat.com/show_bug.cgi?id=1722971
- https://bugzilla.redhat.com/show_bug.cgi?id=1731984
- https://bugzilla.redhat.com/show_bug.cgi?id=1735645
- https://bugzilla.redhat.com/show_bug.cgi?id=1735744
- https://bugzilla.redhat.com/show_bug.cgi?id=1735745
- https://bugzilla.redhat.com/show_bug.cgi?id=1735749
- https://bugzilla.redhat.com/show_bug.cgi?id=1737517
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=patches&version=7.3
- https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index
- https://access.redhat.com/errata/RHSA-2020:0727 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2020:0727
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness