-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat AMQ Streams 2.5.0 release and security update
Advisory ID:       RHSA-2023:5165-01
Product:           Red Hat AMQ Streams
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5165
Issue date:        2023-09-14
CVE Names:         CVE-2021-37136 CVE-2021-37137 CVE-2022-1471 
                   CVE-2022-24823 CVE-2022-36944 CVE-2023-0482 
                   CVE-2023-2976 CVE-2023-3635 CVE-2023-26048 
                   CVE-2023-26049 CVE-2023-33201 CVE-2023-34453 
                   CVE-2023-34454 CVE-2023-34455 CVE-2023-34462 
=====================================================================

1. Summary:

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

Security Fix(es):

* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
 
* scala: deserialization gadget chain (CVE-2022-36944)

* DoS of the Okio client when handling a crafted GZIP archive
(CVE-2023-3635)
 
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)

* guava: insecure temporary directory creation (CVE-2023-2976)

* Jetty servlets with multipart support may cause OOM error with client
requests (CVE-2023-26048)

* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies (CVE-2023-26049)

* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)

* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)

* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)

* Flaw in Netty's SniHandler while navigating TLS handshake; DoS
(CVE-2023-34462)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2129809 - CVE-2022-36944 scala: deserialization gadget chain
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2215229 - CVE-2023-2976 guava: insecure temporary directory creation
2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
2215465 - CVE-2023-33201 bouncycastle: potential  blind LDAP injection attack using a self-signed certificate
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling
2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()
2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies

5. JIRA issues fixed (https://issues.redhat.com/):

ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0

6. References:

https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-24823
https://access.redhat.com/security/cve/CVE-2022-36944
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-3635
https://access.redhat.com/security/cve/CVE-2023-26048
https://access.redhat.com/security/cve/CVE-2023-26049
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/cve/CVE-2023-34453
https://access.redhat.com/security/cve/CVE-2023-34454
https://access.redhat.com/security/cve/CVE-2023-34455
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlAyZSAAoJENzjgjWX9erEmRwQAIr30XliBoykJhsrfof3/YM7
dmC4a5RLefsM62tkqRzbQuEpMuD/sC7ODRe415g49vP3iwzj9siV+vN9wHR2+4uB
QivzIH+Ka2A7p7YoCpBrHqytibI7ZRQTyHvOLvTxm43VQ/m4G3PevdHs5q6gvUFS
JawbpjWQ3XbgfXe9JB0lgFxrLE+Xjqf8fkXWHRcJ42uW+4MA+1vVUnET28U4rHEh
qqX+BzcYL7Rx/CpxRj6ewAHRID59z2HsUgp+yNflb4hLqe+ByCyl169DlTMTMAvX
pYqthRb8EXx2MIGkInyz9GsRL5vnm684tZFYW62hgQKO1JQNF4dBxuQArDl9SNFm
P+zLfV7ShhhrSkEnBg81yVeRPkbFF/3oOurCxhWTsdb0ZUXHhY4EcOmJklPGTzg4
CSp86UrXE9XUGzTHnMc2/AUVDvhq6pqUj550UbdK5ijaEkuuTXUOkreqvb5DM1PS
4WbLJxcBsZEOYEzSflzA6cy5rLt7VLONIu8IoBNyrjbaY62UTOYXwtwb2pnL3BX0
ClCmxhawvrlhmVXupapG7X9FBNqTo1VqCMImLaGH5zvL9fOFbUOmsr4tpnAdy0dN
aqs7PftCiWcqTt+85nOzEaKGorWo45VIjomdLX0FDPLnIL5oLefr8eL0xOYYXeQa
dnMwz+Rga4GUk26e29q0
=V0cF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-5165:01 Important: Red Hat AMQ Streams 2.5.0 release and

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer Portal

Summary

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
Security Fix(es):
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* scala: deserialization gadget chain (CVE-2022-36944)
* DoS of the Okio client when handling a crafted GZIP archive (CVE-2023-3635)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* netty: world readable temporary file containing sensitive data (CVE-2022-24823)
* guava: insecure temporary directory creation (CVE-2023-2976)
* Jetty servlets with multipart support may cause OOM error with client requests (CVE-2023-26048)
* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies (CVE-2023-26049)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)
* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)
* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)
* Flaw in Netty's SniHandler while navigating TLS handshake; DoS (CVE-2023-34462)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link (you must log in to download the update).

References

https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-24823 https://access.redhat.com/security/cve/CVE-2022-36944 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-2976 https://access.redhat.com/security/cve/CVE-2023-3635 https://access.redhat.com/security/cve/CVE-2023-26048 https://access.redhat.com/security/cve/CVE-2023-26049 https://access.redhat.com/security/cve/CVE-2023-33201 https://access.redhat.com/security/cve/CVE-2023-34453 https://access.redhat.com/security/cve/CVE-2023-34454 https://access.redhat.com/security/cve/CVE-2023-34455 https://access.redhat.com/security/cve/CVE-2023-34462 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0 https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5

Package List


Severity
Advisory ID: RHSA-2023:5165-01
Product: Red Hat AMQ Streams
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5165
Issued Date: : 2023-09-14
CVE Names: CVE-2021-37136 CVE-2021-37137 CVE-2022-1471 CVE-2022-24823 CVE-2022-36944 CVE-2023-0482 CVE-2023-2976 CVE-2023-3635 CVE-2023-26048 CVE-2023-26049 CVE-2023-33201 CVE-2023-34453 CVE-2023-34454 CVE-2023-34455 CVE-2023-34462

Topic

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat CustomerPortal.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data

2129809 - CVE-2022-36944 scala: deserialization gadget chain

2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files

2215229 - CVE-2023-2976 guava: insecure temporary directory creation

2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS

2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS

2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS

2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate

2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM

2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling

2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()

2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies

5. JIRA issues fixed (https://issues.redhat.com/):

ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0


Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved