RedHat: RHSA-2023-0189:01 Moderate: Red Hat AMQ Streams 2.3.0 relea...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat AMQ Streams 2.3.0 release and security update
Advisory ID:       RHSA-2023:0189-01
Product:           Red Hat JBoss AMQ
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0189
Issue date:        2023-01-17
CVE Names:         CVE-2022-2047 CVE-2022-2048 CVE-2022-2191 
                   CVE-2022-38752 CVE-2022-42003 CVE-2022-42004 
=====================================================================

1. Summary:

Red Hat AMQ Streams 2.3.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.3.0 serves as a replacement for Red
Hat AMQ Streams 2.2.0, and includes security and bug fixes, and
enhancements.

Security Fix(es):

* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)

* jetty-server: Improper release of ByteBuffers in SslConnections
(CVE-2022-2191)

* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jetty-https: improver hostname input handling (CVE-2022-2047)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

2116949 - CVE-2022-2047 jetty-https: improver hostname input handling
2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
2116953 - CVE-2022-2191 jetty-server: Improper release of ByteBuffers in SslConnections
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. References:

https://access.redhat.com/security/cve/CVE-2022-2047
https://access.redhat.com/security/cve/CVE-2022-2048
https://access.redhat.com/security/cve/CVE-2022-2191
https://access.redhat.com/security/cve/CVE-2022-38752
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.3.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.3

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY8bOFNzjgjWX9erEAQjLJRAAkV4o3td1Bgsn1KLPfwSv8lH5mzng45Fb
fhIyg6g7sZW+Pb4+MpqUg9Ihg3VakFIxImVJgdwETuBelA+HFcurC301xLBW1Xl7
JS0ABRPn3JQtVCVutN5n7u0CrLtd02R8QqLGnA0YwZYM/AWVPoPEEHIfQlzFOFxn
jzqRlAbZK3nxdEQGe4NxJmEBYaDAbkMfAcu+BR67mXYRJwpmcnFlwnLA+h94oTkh
lZiK9mTFNIhX8XfmMvJtGo/dmtLdOdQiGA2wAeSa7B99MIe1GF8D7RytOEsTtiLF
hi1/33ZeXbddj0C0pJPRkOy1EPs/I00MxIlK6hIXe08evrXzFIfBP/u13NpcFCUs
O1Ic5Xwjj0DvZifoTksudT8alR88rdgrEaO8BK0SKznwdK6G1gmV0CLlex+cykFX
9BGg/3iCx4kvg3KtNhp12ss2kkeboZ0gvmG9RS4f7sRtvEFwpmPfSq9SZ2zDHeZ9
6KVLNaVIKmLWtLAl8vZStCOoXvMmzi+9iWyUAO+pCshPVwuF2omJhPEYf264nsEP
s6lFl5MdiwOuNfMoE4ZWbjk4UeI6PaZsfC7qQOtgp44mOOXA3rXvhG26mlMU8JGV
BZPaCSCXHfw89z1+tx3UcYXLiQnP4RWwBkB+i4/AcaYRjw8horImgZgn4OCRF3Ai
10CwjQ1Ic4I=
=lcYE
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-0189:01 Moderate: Red Hat AMQ Streams 2.3.0 release and

Red Hat AMQ Streams 2.3.0 is now available from the Red Hat Customer Portal

Summary

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.3.0 serves as a replacement for Red Hat AMQ Streams 2.2.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* jetty-server: Improper release of ByteBuffers in SslConnections (CVE-2022-2191)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jetty-https: improver hostname input handling (CVE-2022-2047)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.The References section of this erratum contains a download link (you mustlog in to download the update).

References

https://access.redhat.com/security/cve/CVE-2022-2047 https://access.redhat.com/security/cve/CVE-2022-2048 https://access.redhat.com/security/cve/CVE-2022-2191 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.3.0 https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.3

Package List

Severity
Advisory ID: RHSA-2023:0189-01
Product: Red Hat JBoss AMQ
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0189
Issued Date: : 2023-01-17
CVE Names: CVE-2022-2047 CVE-2022-2048 CVE-2022-2191 CVE-2022-38752 CVE-2022-42003 CVE-2022-42004

Topic

Red Hat AMQ Streams 2.3.0 is now available from the Red Hat CustomerPortal.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

2116949 - CVE-2022-2047 jetty-https: improver hostname input handling

2116952 - CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS

2116953 - CVE-2022-2191 jetty-server: Improper release of ByteBuffers in SslConnections

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.