-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat AMQ Streams 2.0.1 release and security update Advisory ID: RHSA-2022:0469-01 Product: Red Hat JBoss AMQ Advisory URL: https://access.redhat.com/errata/RHSA-2022:0469 Issue date: 2022-02-08 CVE Names: CVE-2021-4178 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ===================================================================== 1. Summary: Red Hat AMQ Streams 2.0.1 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.0.1 serves as a replacement for Red Hat AMQ Streams 2.0.0, and includes security and bug fixes, and enhancements. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * kubernetes-client: Insecure deserialization in unmarshalYaml method (CVE-2021-4178) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. References: https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.0.1 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIUAwUBYgKqE9zjgjWX9erEAQhSGQ/2LKvywTAABUmr5XI1nQYKNshcvnCuFZcH KvfX7NVxnjD7/RhZsOZoCVR3HfMcEi1Iy8yVi9MCG2GVkwuMGP8iehhLlcNjjqIr VpkYgQA57ggyHA8wuu0nVSJDFUfoybKahVKNt2RfLedlaKJNtvq28ZSyvdlw8yND o5fv6aJqI0ZIGGb1X1tMXSmKi0dxR9pvd47Oz44LV4wwopZAH5SwiszyqASB23U1 jymqry/04QnFfLt6mKIw120Xb6/vR78p4LCyEhX26y8eRcIFbzpIVegVMrUy3ynC YZMFMCK3vIIzTwOAxTayBrgsdZErSh2GxYMJlEpQSvb7Nqis5a9RghP+Za+e8Czz 3+uyLmROkYfmBQ/eWnn2rrGx1Yk6DK8l1DmlLOa/Qjnym8/Qz57butXuZb2PPXOf jcRXgYtKFC+2DGpgCn5U7ZbpaW/Sg26gi3cGqXU9Qcs9zP70k8Ag2knZcpvY39e4 DR1SxkDAhb0i1rRTm53kMxuyYeXf3I5eNmRwEulJ6J8Vpw9z+U3yduFumwPNc/4B bbwtDsqSFgbyz97S72K5fRBvv2ZrCn7OM+wNCizVKS3+sippsNtNrXmKf0cL1Lbe qz8fxp4eJOHF+ZxKpzuaYHFtqhHYu24BLcgd6HlXHRrmVIuw9rGqtn5btcv3Ynqz qSC9qqWc/A== =TME+ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce