Multiple vulnerabilities in Red Hat Camel for Spring Boot 4



Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2024-29857
CVE-2024-30172
CVE-2024-30171
CWE-ID CWE-400
CWE-835
CWE-203
Exploitation vector Network
Public exploit N/A
Vulnerable software
Red Hat Camel for Spring Boot
Universal components / Libraries / Software for developers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU89218

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-29857

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Camel for Spring Boot: before 4.4.0

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2024:4505


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Infinite loop

EUVDB-ID: #VU89220

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-30172

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the Ed25519 verification code. A remote attacker can pass a specially signature and public key to the application, consume all available system resources and cause denial of service conditions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Camel for Spring Boot: before 4.4.0

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2024:4505


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Observable discrepancy

EUVDB-ID: #VU89219

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-30171

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a possible timing based leakage in RSA based handshakes. A remote attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Camel for Spring Boot: before 4.4.0

CPE2.3 External links

http://access.redhat.com/errata/RHSA-2024:4505


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###