(RHSA-2022:1029) Important: Red Hat Integration Camel-K 1.6.4 release and security update

A micro version update (from 1.6.3 to 1.6.4) is now available for Red Hat Camel K that includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)

• maven: Block repositories using http by default (CVE-2021-26291)

• cyrus-sasl: failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands (CVE-2022-24407)

• bouncycastle: Timing issue within the EC math library (CVE-2020-15522)

• jetty: buffer not correctly recycled in Gzip Request inflation (CVE-2020-27218)

• RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack (CVE-2021-20293)

• XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)

• jersey: Local information disclosure via system temporary directory (CVE-2021-28168)

• jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)

• jdom: XXE allows attackers to cause a DoS via a crafted HTTP request (CVE-2021-33813)

• guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.