RedHat: RHSA-2022-6819:01 Important: Red Hat AMQ Streams 2.2.0 rele...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat AMQ Streams 2.2.0 release and security update
Advisory ID:       RHSA-2022:6819-01
Product:           Red Hat JBoss AMQ
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6819
Issue date:        2022-10-05
CVE Names:         CVE-2020-36518 CVE-2022-24823 CVE-2022-25647 
                   CVE-2022-34917 
=====================================================================

1. Summary:

Red Hat AMQ Streams 2.2.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.2.0 serves as a replacement for Red
Hat AMQ Streams 2.1.0, and includes security and bug fixes, and
enhancements.

Security Fix(es):

* kafka: Unauthenticated clients may cause OutOfMemoryError on brokers
(CVE-2022-34917)

* jackson-databind: denial of service via a large depth of nested objects
(CVE-2020-36518)

* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)

* com.google.code.gson-gson: Deserialization of Untrusted Data in
com.google.code.gson-gson (CVE-2022-25647)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2130018 - CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers

5. References:

https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2022-24823
https://access.redhat.com/security/cve/CVE-2022-25647
https://access.redhat.com/security/cve/CVE-2022-34917
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.2.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.2

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYz3vn9zjgjWX9erEAQgn5xAAimnK8u7hTwN7pQ0bXtBeNcNWAxzasLdF
7thzBp1vhsco4M6vYahLbtJ8k9L25RLUGWdf7lUvcI1BLGObXdc5EVstMyv+YMtH
6MrSC56w8EcQFuTTD+nFbbB3VO3jJzY6i4KmVw3pDTBdAAG/XThumduTG8EovZMW
7crrL/Zbsgka45ODz6Rzs66VUARIB7aS0j6W9ocJ/0nkUyewMBWXZaKnAv97DCJZ
Fsg+sVhYavRvx3T0zY1PJvYXTTT+PaZ5GdTSRNzGuDn65helyPNi3luIrEM7oBW3
I/fFm/SHz1D/IwetV4jyHpfaFcJrtzFhLX0gksftCjuGV9mlZ3kRRMuzFjmcZP4C
AxR5KTSBV1buavJTSbwM2NvOLtq9pFqBTstnQGkVAml3gJxXYzsozLJ/uiVVhORK
gkTlzepH8H9sG3wWH4ErRnwD7f1FIMu4ZvmB/NVn7sxEXMctjt0NA02ngmEADDXv
56w4rj8Db3X+hGDCf8A5CsAmSge9hGRuL2eeeZKd0IC/zOeU6N5WeUCB1806SNbl
23wuGoXh6xa7F1cIEtrGYoaXhWc0m3yKFwYZqnM6iXzJJM/0tWGI/CCG+ZYtiVyW
wsI1a9EOyoOivJWgHX2G7gxFVBpgXz3OTCSr890bFGArj/7664xMC4E/jcb2v9T+
gRODlrMjDx8=
=ibwe
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-6819:01 Important: Red Hat AMQ Streams 2.2.0 release and

Red Hat AMQ Streams 2.2.0 is now available from the Red Hat Customer Portal

Summary

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.2.0 serves as a replacement for Red Hat AMQ Streams 2.1.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* kafka: Unauthenticated clients may cause OutOfMemoryError on brokers (CVE-2022-34917)
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* netty: world readable temporary file containing sensitive data (CVE-2022-24823)
* com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link (you mustlog in to download the update).

References

https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2022-24823 https://access.redhat.com/security/cve/CVE-2022-25647 https://access.redhat.com/security/cve/CVE-2022-34917 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.2.0 https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.2

Package List

Severity
Advisory ID: RHSA-2022:6819-01
Product: Red Hat JBoss AMQ
Advisory URL: https://access.redhat.com/errata/RHSA-2022:6819
Issued Date: : 2022-10-05
CVE Names: CVE-2020-36518 CVE-2022-24823 CVE-2022-25647 CVE-2022-34917

Topic

Red Hat AMQ Streams 2.2.0 is now available from the Red Hat CustomerPortal.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data

2130018 - CVE-2022-34917 Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.