Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.
Security Fix(es):
* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
* scala: deserialization gadget chain (CVE-2022-36944)
* DoS of the Okio client when handling a crafted GZIP archive
(CVE-2023-3635)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)
* guava: insecure temporary directory creation (CVE-2023-2976)
* Jetty servlets with multipart support may cause OOM error with client
requests (CVE-2023-26048)
* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies (CVE-2023-26049)
* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)
* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)
* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)
* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)
* Flaw in Netty's SniHandler while navigating TLS handshake; DoS
(CVE-2023-34462)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-24823 https://access.redhat.com/security/cve/CVE-2022-36944 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-2976 https://access.redhat.com/security/cve/CVE-2023-3635 https://access.redhat.com/security/cve/CVE-2023-26048 https://access.redhat.com/security/cve/CVE-2023-26049 https://access.redhat.com/security/cve/CVE-2023-33201 https://access.redhat.com/security/cve/CVE-2023-34453 https://access.redhat.com/security/cve/CVE-2023-34454 https://access.redhat.com/security/cve/CVE-2023-34455 https://access.redhat.com/security/cve/CVE-2023-34462 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0 https://docs.redhat.com/en/documentation/red_hat_streams_for_apache_kafka/2.5
Red Hat AMQ Streams 2.5.0 is now available from the Red Hat CustomerPortal.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2129809 - CVE-2022-36944 scala: deserialization gadget chain
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2215229 - CVE-2023-2976 guava: insecure temporary directory creation
2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling
2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()
2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies
Get the latest Linux and open source security news straight to your inbox.