Bug 1965497 (CVE-2021-28170) - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
Summary: CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expression...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-28170
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1965500 1965773 1969558
Blocks: 1956974
TreeView+ depends on / blocked
 
Reported: 2021-05-27 19:59 UTC by Pedro Sampaio
Modified: 2022-03-23 08:22 UTC (History)
74 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-09 00:21:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3466 0 None None None 2021-09-08 14:06:51 UTC
Red Hat Product Errata RHSA-2021:3467 0 None None None 2021-09-08 14:09:10 UTC
Red Hat Product Errata RHSA-2021:3468 0 None None None 2021-09-08 14:04:46 UTC
Red Hat Product Errata RHSA-2021:3471 0 None None None 2021-09-08 13:06:07 UTC
Red Hat Product Errata RHSA-2021:3516 0 None None None 2021-09-13 17:34:18 UTC
Red Hat Product Errata RHSA-2021:3534 0 None None None 2021-09-14 12:37:55 UTC
Red Hat Product Errata RHSA-2021:3656 0 None None None 2021-09-23 16:15:56 UTC
Red Hat Product Errata RHSA-2021:3658 0 None None None 2021-09-23 16:24:15 UTC
Red Hat Product Errata RHSA-2021:3660 0 None None None 2021-09-23 16:30:06 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:35:21 UTC
Red Hat Product Errata RHSA-2022:0589 0 None None None 2022-02-21 18:23:02 UTC
Red Hat Product Errata RHSA-2022:1013 0 None None None 2022-03-22 15:34:25 UTC
Red Hat Product Errata RHSA-2022:1029 0 None None None 2022-03-23 08:22:52 UTC

Description Pedro Sampaio 2021-05-27 19:59:24 UTC 
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

References:

https://github.com/eclipse-ee4j/el-ri/issues/155
https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
Comment 1 Pedro Sampaio 2021-05-27 20:01:05 UTC 
Created jakarta-el tracking bugs for this issue:

Affects: fedora-all [bug 1965500]
Comment 12 errata-xmlrpc 2021-09-08 13:06:03 UTC 
This issue has been addressed in the following products:

  EAP 7.3.9 release

Via RHSA-2021:3471 https://access.redhat.com/errata/RHSA-2021:3471
Comment 13 errata-xmlrpc 2021-09-08 14:04:43 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:3468 https://access.redhat.com/errata/RHSA-2021:3468
Comment 14 errata-xmlrpc 2021-09-08 14:06:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:3466 https://access.redhat.com/errata/RHSA-2021:3466
Comment 15 errata-xmlrpc 2021-09-08 14:09:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:3467 https://access.redhat.com/errata/RHSA-2021:3467
Comment 16 Product Security DevOps Team 2021-09-09 00:21:15 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28170
Comment 17 errata-xmlrpc 2021-09-13 17:34:14 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP 2.0.0 via EAP 7.3.x base

Via RHSA-2021:3516 https://access.redhat.com/errata/RHSA-2021:3516
Comment 18 errata-xmlrpc 2021-09-14 12:37:50 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.9

Via RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534
Comment 19 errata-xmlrpc 2021-09-23 16:15:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656
Comment 20 errata-xmlrpc 2021-09-23 16:24:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658
Comment 21 errata-xmlrpc 2021-09-23 16:30:01 UTC 
This issue has been addressed in the following products:

  EAP 7.4.1 release

Via RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660
Comment 22 errata-xmlrpc 2021-12-14 21:35:19 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Comment 23 errata-xmlrpc 2022-02-21 18:22:57 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
Comment 24 errata-xmlrpc 2022-03-22 15:34:20 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
Comment 25 errata-xmlrpc 2022-03-23 08:22:48 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K 1.6.4

Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029
Note You need to log in before you can comment on or make changes to this bug.