RHSA-2020:2321: Important: Red Hat Data Grid 7.3.6 security update

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.This release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat Data Grid 7.3.5 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.Security Fix(es): wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862) apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) netty: HTTP request smuggling (CVE-2019-20444) netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) thrift: Endless loop when feed with specific input data (CVE-2019-0205) thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.