-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1193
     Red Hat 3scale API Management 2.10.0 security update and release
                               9 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat 3scale API Management 2.10.0
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Existing Account            
                   Increased Privileges            -- Existing Account            
                   Modify Arbitrary Files          -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
                   Reduced Security                -- Remote/Unauthenticated      
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-20265 CVE-2020-29661 CVE-2020-28374
                   CVE-2020-25705 CVE-2020-25656 CVE-2020-25645
                   CVE-2020-25211 CVE-2020-14351 CVE-2020-14040
                   CVE-2020-12723 CVE-2020-12403 CVE-2020-12402
                   CVE-2020-12401 CVE-2020-12400 CVE-2020-12243
                   CVE-2020-9283 CVE-2020-8177 CVE-2020-7595
                   CVE-2020-7053 CVE-2020-6829 CVE-2020-1971
                   CVE-2020-0427 CVE-2019-20907 CVE-2019-20388
                   CVE-2019-19956 CVE-2019-19532 CVE-2019-19126
                   CVE-2019-17498 CVE-2019-17023 CVE-2019-17006
                   CVE-2019-15903 CVE-2019-14866 CVE-2019-12749
                   CVE-2019-11756 CVE-2019-11727 CVE-2019-11719
                   CVE-2019-5188 CVE-2019-5094 CVE-2018-20843

Reference:         ESB-2021.1091
                   ESB-2021.0986
                   ESB-2021.0934
                   ESB-2021.0839

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:1129

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat 3scale API Management 2.10.0 security update and release
Advisory ID:       RHSA-2021:1129-01
Product:           3scale API Management
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1129
Issue date:        2021-04-07
CVE Names:         CVE-2018-20843 CVE-2019-5094 CVE-2019-5188 
                   CVE-2019-11719 CVE-2019-11727 CVE-2019-11756 
                   CVE-2019-12749 CVE-2019-14866 CVE-2019-15903 
                   CVE-2019-17006 CVE-2019-17023 CVE-2019-17498 
                   CVE-2019-19126 CVE-2019-19532 CVE-2019-19956 
                   CVE-2019-20388 CVE-2019-20907 CVE-2020-0427 
                   CVE-2020-1971 CVE-2020-6829 CVE-2020-7053 
                   CVE-2020-7595 CVE-2020-8177 CVE-2020-9283 
                   CVE-2020-12243 CVE-2020-12400 CVE-2020-12401 
                   CVE-2020-12402 CVE-2020-12403 CVE-2020-12723 
                   CVE-2020-14040 CVE-2020-14351 CVE-2020-25211 
                   CVE-2020-25645 CVE-2020-25656 CVE-2020-25705 
                   CVE-2020-28374 CVE-2020-29661 CVE-2021-20265 
=====================================================================

1. Summary:

A security update for Red Hat 3scale API Management Platform is now
available from the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat 3scale API Management delivers centralized API management features
through a distributed, cloud-hosted layer. It includes built-in features to
help in building a more successful API program, including access control,
rate limits, payment gateway integration, and developer experience tools.

This advisory is intended to use with container images for Red Hat 3scale
API Management 2.10.0.

Security Fix(es):

* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management
/2.10/html-single/installing_3scale/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash

5. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5188
https://access.redhat.com/security/cve/CVE-2019-11719
https://access.redhat.com/security/cve/CVE-2019-11727
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-12749
https://access.redhat.com/security/cve/CVE-2019-14866
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2019-17023
https://access.redhat.com/security/cve/CVE-2019-17498
https://access.redhat.com/security/cve/CVE-2019-19126
https://access.redhat.com/security/cve/CVE-2019-19532
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2020-0427
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-6829
https://access.redhat.com/security/cve/CVE-2020-7053
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-9283
https://access.redhat.com/security/cve/CVE-2020-12243
https://access.redhat.com/security/cve/CVE-2020-12400
https://access.redhat.com/security/cve/CVE-2020-12401
https://access.redhat.com/security/cve/CVE-2020-12402
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/cve/CVE-2020-12723
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-14351
https://access.redhat.com/security/cve/CVE-2020-25211
https://access.redhat.com/security/cve/CVE-2020-25645
https://access.redhat.com/security/cve/CVE-2020-25656
https://access.redhat.com/security/cve/CVE-2020-25705
https://access.redhat.com/security/cve/CVE-2020-28374
https://access.redhat.com/security/cve/CVE-2020-29661
https://access.redhat.com/security/cve/CVE-2021-20265
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.10/html-single/installing_3scale/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYG71etzjgjWX9erEAQjNixAAhj8zh6eSiTxd4KgsaKl8WPwqE4xxDh1f
0UZ8n0GcAAedgOaSxFFc81Khc40Ki/AgUBNscwdLKVrlqDcBHStpQIAhThzIqtfq
OAirtdRE/HOC9TjcR4OV5TTdjGt8A9oZh34OHidQQQEsxHF26BPJ9IdGDV6BGdVi
EQZFcZUFYLgLqca1AcFTC46+SqK1J4Gn6cp7fQ5GOTc6umUQqzU4xk9WFcAcjNWg
v1Fo1ZYiil3BMJC3hQmwXm2HCpoq+Ckri3BrRHsCk2CwxJgAZcgDqxUXkD/4B5OE
j9wswGPziSY0DE+vqR5CK393ZT0WrLj+xUgVnn5cd8XyAroybSVgjJ4lKXyyzCQY
TS3an5vcxZJZK9DfLV/xWt+aOuQ1JIz3FIFQgSHgWqlfszptg2bn4GW2D05VmEV7
NwEma9bjWG6Tr2eyUqNmddVFIlEN+VoGZMBgiKLj5pUFe+Zlp5T76jIXntPdOVgX
nKsil2BMrponU2iIMi7Lkp0yRUKPv8uTTZvfYqtM56U6PXygzC6y+80kfHm6YwRI
NHS7zFxxmsi3Vqo2iN4SfOM75oekIsEjt0s+AD/G+/Jc/2MLa8lMUKpWuutrDzrE
s0gqHMQek8Oj/F1PFoQsSg5K5vwjwqM7NCY6VOQ14YtZeFcfasOemSehzotlOm2e
ifeFFW4W/6s=
=Uuda
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYG+dreNLKJtyKPYoAQjVGxAApE9VKGlb6u4I9qMifd8tKvAAbduJmfIa
toPTPGvB2/UIc4N9N7s1CjY5wkh/xiV18QEjaS/VfeE51arQmkM+KNNFdIs0YFE6
Vc1CBRbGUjEzgKJ4JZtLWbzR/62Irg3bML5idIGEJjuJtAXpa1JlOB8oYqQqusbD
qY8Koqyt2XkTkZ3dZ2HLHD3peOH+XQjdfDR6Ulng5Bfak0k2LnA1Ps/TxyrSvq48
4saCWIaMSulu5QORr2DuTlvutQPZqZNNjXfcB1reF29By7SHW7zzlxkj/GJYvnN7
KzonHCCjaiLnJoSA9wil+NCb3TFCpxz3Fm6+MdM4h1q0XuF/VsQaXSaATNbK5kbL
8gWmho8kUZukixoSRmaAOA8mOm5JsdNFXQpOblcjLupUKKV5tcM2G5AuRMZuBEO/
DF90vIXUOeW0dOOZp6OW3c+5hsvwLclwrzKrdZYICmMQFhBekFX4zmLtAGFHvkdS
rvdWjbbllwga4ke9w7FcVeiJzRMbzD3i3iju/lamBpn+dK6qVDTEY+ZjJX4b2RpE
D1qhyr2M+yazw+30iOqO1RiUMJ1TaW4WhazABB8v7ZW43h6M9kQ5zESLJ48b0KyY
pss3XJ9JQE1KNrLTRoQehfbamKV7GzDFDv0d8OdG4IK3loPjPjAWHHDT5Qpdvlt5
2/GfkpY5ilo=
=ilBJ
-----END PGP SIGNATURE-----