Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.
e4d84b16ea28567aec7f314cb171c46cd74d7cbac6bd0fa8cadeda2c5a92d66c
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1662.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat build of Quarkus 3.2.11 release and security update
Advisory ID: RHSA-2024:1662-03
Product: Red Hat build of Quarkus
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1662
Issue date: 2024-04-03
Revision: 03
CVE Names: CVE-2024-1023
====================================================================
Summary:
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
Description:
This release of Red Hat build of Quarkus 3.2.11 includes security updates,
bug fixes, and enhancements. For more information, see the release notes page
listed in the References section.
Security Fix(es):
* CVE-2024-1597 org.postgresql/postgresql: pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE [quarkus-3.2]
* CVE-2024-1979 io.quarkus/quarkus-kubernetes-deployment: quarkus: information leak in annotation [quarkus-3.2]
* CVE-2024-1726 io.quarkus.resteasy.reactive/resteasy-reactive: quarkus: security checks for some inherited endpoints performed after serialization in RESTEasy Reactive may trigger a denial of service [quarkus-3.2]
* CVE-2024-25710 org.apache.commons/commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file [quarkus-3.2]
* CVE-2024-26308 org.apache.commons/commons-compress: OutOfMemoryError unpacking broken Pack200 file [quarkus-3.2]
* CVE-2024-1300 io.vertx/vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support [quarkus-3.2]
* CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx [quarkus-3.2]
Solution:
https://access.redhat.com/articles/11258
CVEs:
CVE-2024-1023
References:
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/3.2/
https://access.redhat.com/articles/4966181
https://bugzilla.redhat.com/show_bug.cgi?id=2260840
https://bugzilla.redhat.com/show_bug.cgi?id=2263139
https://bugzilla.redhat.com/show_bug.cgi?id=2264988
https://bugzilla.redhat.com/show_bug.cgi?id=2264989
https://bugzilla.redhat.com/show_bug.cgi?id=2265158
https://bugzilla.redhat.com/show_bug.cgi?id=2266523
https://bugzilla.redhat.com/show_bug.cgi?id=2266690
https://issues.redhat.com/browse/QUARKUS-4022
https://issues.redhat.com/browse/QUARKUS-4036
https://issues.redhat.com/browse/QUARKUS-4097
https://issues.redhat.com/browse/QUARKUS-4103
https://issues.redhat.com/browse/QUARKUS-4104
https://issues.redhat.com/browse/QUARKUS-4106
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed