RHSA-2020:0727: Important: Red Hat Data Grid 7.3.3 security update

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.<br>This release of Red Hat Data Grid 7.3.3 serves as a replacement for Red Hat Data Grid 7.3.2 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.<br>Security Fix(es):<br><li> HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)</li> <li> HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)</li> <li> HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)</li> <li> HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)</li> <li> xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) (CVE-2019-10173)</li> <li> infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174)</li> <li> jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)</li> <li> h2: Information Exposure due to insecure handling of permissions in the backup (CVE-2018-14335)</li> <li> wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)</li> <li> undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)</li> <li> undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files (CVE-2019-10212)</li> <li> undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.