Red Hat Security Advisory 2023-5165-01 - Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Issues addressed include code execution, denial of service, deserialization, and integer overflow vulnerabilities.
c7bacd29d694aaaaf457349ec19016b4d130ffc214bfce870fe209e62bdbdd3c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat AMQ Streams 2.5.0 release and security update
Advisory ID: RHSA-2023:5165-01
Product: Red Hat AMQ Streams
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5165
Issue date: 2023-09-14
CVE Names: CVE-2021-37136 CVE-2021-37137 CVE-2022-1471
CVE-2022-24823 CVE-2022-36944 CVE-2023-0482
CVE-2023-2976 CVE-2023-3635 CVE-2023-26048
CVE-2023-26049 CVE-2023-33201 CVE-2023-34453
CVE-2023-34454 CVE-2023-34455 CVE-2023-34462
=====================================================================
1. Summary:
Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer
Portal.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.
Security Fix(es):
* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
* scala: deserialization gadget chain (CVE-2022-36944)
* DoS of the Okio client when handling a crafted GZIP archive
(CVE-2023-3635)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)
* guava: insecure temporary directory creation (CVE-2023-2976)
* Jetty servlets with multipart support may cause OOM error with client
requests (CVE-2023-26048)
* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies (CVE-2023-26049)
* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)
* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)
* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)
* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)
* Flaw in Netty's SniHandler while navigating TLS handshake; DoS
(CVE-2023-34462)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2129809 - CVE-2022-36944 scala: deserialization gadget chain
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2215229 - CVE-2023-2976 guava: insecure temporary directory creation
2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling
2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()
2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies
5. JIRA issues fixed (https://issues.redhat.com/):
ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0
6. References:
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-24823
https://access.redhat.com/security/cve/CVE-2022-36944
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-3635
https://access.redhat.com/security/cve/CVE-2023-26048
https://access.redhat.com/security/cve/CVE-2023-26049
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/cve/CVE-2023-34453
https://access.redhat.com/security/cve/CVE-2023-34454
https://access.redhat.com/security/cve/CVE-2023-34455
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJlAyZSAAoJENzjgjWX9erEmRwQAIr30XliBoykJhsrfof3/YM7
dmC4a5RLefsM62tkqRzbQuEpMuD/sC7ODRe415g49vP3iwzj9siV+vN9wHR2+4uB
QivzIH+Ka2A7p7YoCpBrHqytibI7ZRQTyHvOLvTxm43VQ/m4G3PevdHs5q6gvUFS
JawbpjWQ3XbgfXe9JB0lgFxrLE+Xjqf8fkXWHRcJ42uW+4MA+1vVUnET28U4rHEh
qqX+BzcYL7Rx/CpxRj6ewAHRID59z2HsUgp+yNflb4hLqe+ByCyl169DlTMTMAvX
pYqthRb8EXx2MIGkInyz9GsRL5vnm684tZFYW62hgQKO1JQNF4dBxuQArDl9SNFm
P+zLfV7ShhhrSkEnBg81yVeRPkbFF/3oOurCxhWTsdb0ZUXHhY4EcOmJklPGTzg4
CSp86UrXE9XUGzTHnMc2/AUVDvhq6pqUj550UbdK5ijaEkuuTXUOkreqvb5DM1PS
4WbLJxcBsZEOYEzSflzA6cy5rLt7VLONIu8IoBNyrjbaY62UTOYXwtwb2pnL3BX0
ClCmxhawvrlhmVXupapG7X9FBNqTo1VqCMImLaGH5zvL9fOFbUOmsr4tpnAdy0dN
aqs7PftCiWcqTt+85nOzEaKGorWo45VIjomdLX0FDPLnIL5oLefr8eL0xOYYXeQa
dnMwz+Rga4GUk26e29q0
=V0cF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce