Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5788
Red Hat Integration Debezium 1.9.7 security update
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Integration Debezium 1.9.7
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-3171 CVE-2021-22569
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:7896
Comment: CVSS (Max): 7.5 CVE-2022-3171 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Integration Debezium 1.9.7 security update
Advisory ID: RHSA-2022:7896-01
Product: Red Hat Integration
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7896
Issue date: 2022-11-09
CVE Names: CVE-2021-22569 CVE-2022-3171
=====================================================================
1. Summary:
A security update for Debezium is now available for Red Hat Integration.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Debezium is a distributed platform that turns your existing databases into
event streams, so applications can see and respond immediately to each
row-level change in the databases.
Debezium is built on top of Apache Kafka and provides Kafka Connect
compatible connectors that monitor specific database management systems.
Debezium records the history of data changes in Kafka logs, from where your
application consumes them. This makes it possible for your application to
easily consume all of the events correctly and completely. Even if your
application stops unexpectedly, it will not miss anything: when the
application restarts, it will resume consuming the events where it left
off.
Security Fix(es):
* protobuf-java: potential DoS in the parsing procedure for binary data
(CVE-2021-22569)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
To apply this update just follow standard installation procedure
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_openshift/index
https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_rhel/index
4. Bugs fixed (https://bugzilla.redhat.com/):
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
5. References:
https://access.redhat.com/security/cve/CVE-2021-22569
https://access.redhat.com/security/cve/CVE-2022-3171
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q4
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY2v3otzjgjWX9erEAQhmmw/+NujxA03qhV4k8/pvL88Dazs3bt6ZH8ar
ELY1Ueri1EgfWROfGB2+SKK2hbFNN+ft4iY2YWHhDX6PUAmVMPiaB0M8NCQkj7GW
17Bo/muRWOti78J03+2314VxLwNHn+s2qCtAR3/Ks4bfcEDUMwsy/u3YTs+wtbK5
tvO5s6uUPB2evIlliJuYKVfUFB9R900tZv44JZ2d+PC3R4S+dUcVTASRX8lDQMhx
lOSxVePvV1rNTBJ0e7GaPCWNHR2eNSewpwI/XLhfBOh7ojIgNDUNCi69aEYyVLHW
R7uh5R3+PFZvQX+mJ74qcQV2aYVQ4MnhKZrWqbkGyhMqHVRuF7d6DzXd2yMWVDWk
vjgnu2NHR0SG/uRdA2Iykm0MGCq9/69KTo3C+nFEoDNg2vVdH155IInpAdpiw/zn
iKOXcdQkrLyvClNz/giifooNm9/8HSYhI26ayOj/t+H0AGQfAGLfVHGbNQJ7y00W
tSU1OfNPU53KCvbIk/l/3H4SOeXPbOb5pgXaEOM+8ssPk48aBSkQ5Ru7HrJOZwYY
fU3652+qceb/IAWoHsGfW2UKOOLeyipD9i4rxhKaAQYtOsETGAoeqxF43e78VFBy
y47unTuLhi0DyhZw+ZPKzit3j4VLTUTrB79JxyZQ+WZYXOU/ZUpwSkRwMqwjMm9Q
+d4cGdgfQ7Y=
=3CJ6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yLHMkNZI30y1K9AQiw5RAAoRK6satPQGgjf8HpZIBGNL/cGgBkcyTY
wTEOQBKpZacD5vkr3rNt/QHoYgzuaF0r6xK/5hMMr+O12ReoRO1neiCaMMjLXE1I
UMJtcWgdOS3lrpbBHqtyRmvYmWl2WesYnSoi1HsPARB9s1Tc94oxcVqfVbeF58nS
dLtAB6YwR71CjJ+OLzh4YAmZHdKdi/u5iQTXd/y2tb1BwTPz28zCn0+rEFR+90dm
/gubvs6dTWJ6I9QxsloJGnbWj0UhqxSReq+JCKydtm6mmjRO+lPQ/LcKXg/VVat3
/tMd7wCznu0qoP+qc77KjGtUNsqWD047f5nADD5UOtyN4kfe4QvvzevSaqfu2bou
dKZNeLGGcP7TfkFYRiTcE5MAymMnfrB42gSBlsaE1dv8O4bsntND211Zc++8MtWr
kpAX7egSGvRSd27j2i9E4rUInZpPii683zJp7pmn/efHN5g6vTWs+OTCaMtTC5Cs
/tLtqpRozK2ZIk7f5ExCbpan6jaXaRLc3hAlBA+PfoQvAzb54d+CV/QtsqPMRhUG
SeAPUyPaferiWJpVh1VUNXW7oFkKib7WYEW5Si6jqfCt3bNGFMDmd7mgRNHqrkfr
EdJJt1OOXVmD8lqjbr/zKcyRzCGoK9f/is9DBVca9BN58MgVTm5io90QbsAzvoaj
mzg0DmVMWr4=
=runc
-----END PGP SIGNATURE-----