This advisory covers a security update for Red Hat build of Apache Camel 4.18 for Quarkus 3.33 that fixes 11 CVEs affecting components like netty-handler, netty-resolver-dns, netty-codec-haproxy, netty-codec-http2, quarkus-vertx-http, and libthrift. The vulnerabilities include denial of service from resource leaks and memory leaks, information disclosure and data manipulation due to improper DNS record validation, hostname verification bypass due to improper trust manager handling, IPv6 subnet rule bypass, authentication and authorization bypass via path normalization issues, and security bypass from improper certificate validation. These issues collectively pose risks of service disruption, unauthorized access, and data exposure. The update is classified as important by Red Hat and is intended to secure the affected components within the Red Hat build of Apache Camel for Quarkus.

The vulnerabilities fixed by this update can lead to denial of service conditions through resource and memory leaks, unauthorized access via authentication and authorization bypass, information disclosure and data manipulation due to DNS validation flaws, hostname verification bypass compromising TLS security, and security bypass from improper certificate validation. These impacts can affect the confidentiality, integrity, and availability of applications using the affected Red Hat build of Apache Camel 4.18 for Quarkus 3.33.

Red Hat has released an official security update for the Red Hat build of Apache Camel 4.18 for Quarkus 3.33 that addresses these vulnerabilities. Users should apply this update promptly after backing up their existing installations, including applications, configuration files, and databases. No additional mitigation steps are indicated beyond applying the official update. Patch status is confirmed by the vendor advisory.