-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat AMQ Streams 2.3.0 release and security update
Advisory ID:       RHSA-2023:0189-01
Product:           Red Hat JBoss AMQ
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0189
Issue date:        2023-01-17
CVE Names:         CVE-2022-2047 CVE-2022-2048 CVE-2022-2191 
                   CVE-2022-38752 CVE-2022-42003 CVE-2022-42004 
====================================================================
1. Summary:

Red Hat AMQ Streams 2.3.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.3.0 serves as a replacement for Red
Hat AMQ Streams 2.2.0, and includes security and bug fixes, and
enhancements.

Security Fix(es):

* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

* jetty-server: Improper release of ByteBuffers in SslConnections
(CVE-2022-2191)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jetty-http: improver hostname input handling (CVE-2022-2047)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

2116949 - CVE-2022-2047 jetty-http: improver hostname input handling
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
2116953 - CVE-2022-2191 jetty-server: Improper release of ByteBuffers in SslConnections
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. References:

https://access.redhat.com/security/cve/CVE-2022-2047
https://access.redhat.com/security/cve/CVE-2022-2048
https://access.redhat.com/security/cve/CVE-2022-2191
https://access.redhat.com/security/cve/CVE-2022-38752
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.3.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.3

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY8bOFNzjgjWX9erEAQjLJRAAkV4o3td1Bgsn1KLPfwSv8lH5mzng45Fb
fhIyg6g7sZW+Pb4+MpqUg9Ihg3VakFIxImVJgdwETuBelA+HFcurC301xLBW1Xl7
JS0ABRPn3JQtVCVutN5n7u0CrLtd02R8QqLGnA0YwZYM/AWVPoPEEHIfQlzFOFxn
jzqRlAbZK3nxdEQGe4NxJmEBYaDAbkMfAcu+BR67mXYRJwpmcnFlwnLA+h94oTkh
lZiK9mTFNIhX8XfmMvJtGo/dmtLdOdQiGA2wAeSa7B99MIe1GF8D7RytOEsTtiLF
hi1/33ZeXbddj0C0pJPRkOy1EPs/I00MxIlK6hIXe08evrXzFIfBP/u13NpcFCUs
O1Ic5Xwjj0DvZifoTksudT8alR88rdgrEaO8BK0SKznwdK6G1gmV0CLlex+cykFX
9BGg/3iCx4kvg3KtNhp12ss2kkeboZ0gvmG9RS4f7sRtvEFwpmPfSq9SZ2zDHeZ9
6KVLNaVIKmLWtLAl8vZStCOoXvMmzi+9iWyUAO+pCshPVwuF2omJhPEYf264nsEP
s6lFl5MdiwOuNfMoE4ZWbjk4UeI6PaZsfC7qQOtgp44mOOXA3rXvhG26mlMU8JGV
BZPaCSCXHfw89z1+tx3UcYXLiQnP4RWwBkB+i4/AcaYRjw8horImgZgn4OCRF3Ai
10CwjQ1Ic4I=lcYE
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0189:01 Moderate: Red Hat AMQ Streams 2.3.0 release and

Red Hat AMQ Streams 2.3.0 is now available from the Red Hat Customer Portal

Summary

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.3.0 serves as a replacement for Red Hat AMQ Streams 2.2.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* jetty-server: Improper release of ByteBuffers in SslConnections (CVE-2022-2191)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jetty-http: improver hostname input handling (CVE-2022-2047)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link (you must log in to download the update).

References

https://access.redhat.com/security/cve/CVE-2022-2047 https://access.redhat.com/security/cve/CVE-2022-2048 https://access.redhat.com/security/cve/CVE-2022-2191 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.3.0 https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.3

Package List


Severity
Advisory ID: RHSA-2023:0189-01
Product: Red Hat JBoss AMQ
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0189
Issued Date: : 2023-01-17
CVE Names: CVE-2022-2047 CVE-2022-2048 CVE-2022-2191 CVE-2022-38752 CVE-2022-42003 CVE-2022-42004

Topic

Red Hat AMQ Streams 2.3.0 is now available from the Red Hat CustomerPortal.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2116949 - CVE-2022-2047 jetty-http: improver hostname input handling

2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS

2116953 - CVE-2022-2191 jetty-server: Improper release of ByteBuffers in SslConnections

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved