Red Hat Data Grid is a distributed, in-memory data store.
This release of Red Hat Data Grid 8.2.0 serves as a replacement for Red Hat Data Grid 8.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism (CVE-2021-31917)
XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet (CVE-2021-21344)
XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry (CVE-2021-21345)
XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue (CVE-2021-21346)
XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator (CVE-2021-21347)
XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader (CVE-2021-21350)
Infinispan: Actions with effects should not be permitted via GET requests using REST API (CVE-2020-10771)
XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)
XStream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)
netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)
XStream: SSRF via crafted input stream (CVE-2021-21342)
XStream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)
XStream: ReDoS vulnerability (CVE-2021-21348)
XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)
XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)
netty: Request smuggling via content-length header (CVE-2021-21409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.