First published: Wed May 26 2021(Updated: )
Red Hat Data Grid is a distributed, in-memory data store.<br>This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.<br>Security Fix(es):<br><li> Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)</li> <li> XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)</li> <li> XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)</li> <li> XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)</li> <li> XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)</li> <li> XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)</li> <li> Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)</li> <li> XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)</li> <li> XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)</li> <li> netty: Information disclosure via the local system temporary directory (CVE-2021-21290)</li> <li> netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)</li> <li> XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)</li> <li> XStream: SSRF via crafted input stream (CVE-2021-21342)</li> <li> XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)</li> <li> XStream: ReDoS vulnerability (CVE-2021-21348)</li> <li> XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)</li> <li> XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)</li> <li> netty: Request smuggling via content-length header (CVE-2021-21409)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.