This Red Hat security advisory covers the release of Red Hat build of Quarkus 2.13.9.SP2, which includes security updates for three vulnerabilities. CVE-2024-1597 involves a SQL injection vulnerability in the PostgreSQL JDBC Driver (pgjdbc) when the PreferQueryMode is set to SIMPLE, allowing an attacker to inject SQL. CVE-2024-25710 is a denial of service vulnerability in Apache Commons Compress caused by an infinite loop when processing a corrupted DUMP file. CVE-2024-26308 is another Apache Commons Compress vulnerability that can cause an OutOfMemoryError when unpacking a broken Pack200 file. The advisory references Red Hat Bugzilla entries for each fix and directs users to apply the update following standard procedures. No CVSS scores are provided, but the update is rated as Important by Red Hat Product Security.

Successful exploitation of CVE-2024-1597 could allow an attacker to perform SQL injection attacks via the PostgreSQL JDBC Driver under specific configuration, potentially compromising database integrity or confidentiality. CVE-2024-25710 could cause denial of service by triggering an infinite loop when processing corrupted DUMP files, impacting availability. CVE-2024-26308 could lead to an OutOfMemoryError, also affecting availability when unpacking malformed Pack200 files. There are no reports of known exploits in the wild for these vulnerabilities at this time.

Red Hat has released an updated version of the Red Hat build of Quarkus 2.13.9.SP2 that includes fixes for these vulnerabilities. Users should apply this update after ensuring all previously released errata relevant to their system have been applied. Detailed instructions for applying the update are available in the Red Hat advisory and associated documentation. No additional mitigation steps are indicated or required beyond applying the official update.