Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5788 Red Hat Integration Debezium 1.9.7 security update 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Integration Debezium 1.9.7 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-3171 CVE-2021-22569 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:7896 Comment: CVSS (Max): 7.5 CVE-2022-3171 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Debezium 1.9.7 security update Advisory ID: RHSA-2022:7896-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2022:7896 Issue date: 2022-11-09 CVE Names: CVE-2021-22569 CVE-2022-3171 ===================================================================== 1. Summary: A security update for Debezium is now available for Red Hat Integration. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases. Debezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off. Security Fix(es): * protobuf-java: potential DoS in the parsing procedure for binary data (CVE-2021-22569) * protobuf-java: timeout in parser leads to DoS (CVE-2022-3171) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To apply this update just follow standard installation procedure https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_openshift/index https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q4/html/installing_debezium_on_rhel/index 4. Bugs fixed (https://bugzilla.redhat.com/): 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS 5. References: https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2022-3171 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2022-Q4 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY2v3otzjgjWX9erEAQhmmw/+NujxA03qhV4k8/pvL88Dazs3bt6ZH8ar ELY1Ueri1EgfWROfGB2+SKK2hbFNN+ft4iY2YWHhDX6PUAmVMPiaB0M8NCQkj7GW 17Bo/muRWOti78J03+2314VxLwNHn+s2qCtAR3/Ks4bfcEDUMwsy/u3YTs+wtbK5 tvO5s6uUPB2evIlliJuYKVfUFB9R900tZv44JZ2d+PC3R4S+dUcVTASRX8lDQMhx lOSxVePvV1rNTBJ0e7GaPCWNHR2eNSewpwI/XLhfBOh7ojIgNDUNCi69aEYyVLHW R7uh5R3+PFZvQX+mJ74qcQV2aYVQ4MnhKZrWqbkGyhMqHVRuF7d6DzXd2yMWVDWk vjgnu2NHR0SG/uRdA2Iykm0MGCq9/69KTo3C+nFEoDNg2vVdH155IInpAdpiw/zn iKOXcdQkrLyvClNz/giifooNm9/8HSYhI26ayOj/t+H0AGQfAGLfVHGbNQJ7y00W tSU1OfNPU53KCvbIk/l/3H4SOeXPbOb5pgXaEOM+8ssPk48aBSkQ5Ru7HrJOZwYY fU3652+qceb/IAWoHsGfW2UKOOLeyipD9i4rxhKaAQYtOsETGAoeqxF43e78VFBy y47unTuLhi0DyhZw+ZPKzit3j4VLTUTrB79JxyZQ+WZYXOU/ZUpwSkRwMqwjMm9Q +d4cGdgfQ7Y= =3CJ6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yLHMkNZI30y1K9AQiw5RAAoRK6satPQGgjf8HpZIBGNL/cGgBkcyTY wTEOQBKpZacD5vkr3rNt/QHoYgzuaF0r6xK/5hMMr+O12ReoRO1neiCaMMjLXE1I UMJtcWgdOS3lrpbBHqtyRmvYmWl2WesYnSoi1HsPARB9s1Tc94oxcVqfVbeF58nS dLtAB6YwR71CjJ+OLzh4YAmZHdKdi/u5iQTXd/y2tb1BwTPz28zCn0+rEFR+90dm /gubvs6dTWJ6I9QxsloJGnbWj0UhqxSReq+JCKydtm6mmjRO+lPQ/LcKXg/VVat3 /tMd7wCznu0qoP+qc77KjGtUNsqWD047f5nADD5UOtyN4kfe4QvvzevSaqfu2bou dKZNeLGGcP7TfkFYRiTcE5MAymMnfrB42gSBlsaE1dv8O4bsntND211Zc++8MtWr kpAX7egSGvRSd27j2i9E4rUInZpPii683zJp7pmn/efHN5g6vTWs+OTCaMtTC5Cs /tLtqpRozK2ZIk7f5ExCbpan6jaXaRLc3hAlBA+PfoQvAzb54d+CV/QtsqPMRhUG SeAPUyPaferiWJpVh1VUNXW7oFkKib7WYEW5Si6jqfCt3bNGFMDmd7mgRNHqrkfr EdJJt1OOXVmD8lqjbr/zKcyRzCGoK9f/is9DBVca9BN58MgVTm5io90QbsAzvoaj mzg0DmVMWr4= =runc -----END PGP SIGNATURE-----