Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.5.10 serves as a replacement for Red Hat support for Spring Boot 2.4.9, and includes bug fixes and enhancements. For more information, see the release notes listed in the References section.
Security Fix(es):
undertow: client side invocation timeout raised when calling over HTTP2 (CVE-2021-3859)
tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine (CVE-2021-41079)
tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)
undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)
undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)
wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)
resteasy: Error message exposes endpoint class information (CVE-2021-20289)
tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.