-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat AMQ Streams 2.0.0 release and security update Advisory ID: RHSA-2022:0138-01 Product: Red Hat JBoss AMQ Advisory URL: https://access.redhat.com/errata/RHSA-2022:0138 Issue date: 2022-01-13 Cross references: CVE-2021-34429 CVE-2021-38153 CVE-2021-37137 CVE-2021-37136 CVE-2021-44832 CVE Names: CVE-2021-34429 CVE-2021-37136 CVE-2021-37137 CVE-2021-38153 CVE-2021-44832 ==================================================================== 1. Summary: Red Hat AMQ Streams 2.0.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.0.0 serves as a replacement for Red Hat AMQ Streams 1.8.4, and includes security and bug fixes, and enhancements. Security Fix(es): * jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429) * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136) * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137) * Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153) * log4j-core: remote code execution via JDBC Appender (CVE-2021-44832) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1985223 - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2035951 - CVE-2021-44832 log4j-core: remote code execution via JDBC Appender 5. References: https://access.redhat.com/security/cve/CVE-2021-34429 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-38153 https://access.redhat.com/security/cve/CVE-2021-44832 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.0.0 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYeBrYNzjgjWX9erEAQiMmA//QMy0pzkNbwRhQCwBMvH9Ui7yYr2uaEd7 Eka3AZDiWFTuozAdKhlGqKgwCIrYiHtazg1+lbz00mAYnjmljOSjDQ/M+11jeneO m9aNjZlpb7NtgIPRszQ/Ei53LRDHboWPVASvE8ectVG2cigXQqL2WfImPCtfXIGf tc6socUa83fQ7gVvkQfwtZOXwqFwNZRl2Zl5CdwdCRlIzG7pXqNlLv5EJr779cf2 z7Jz7n3faefDztog7i69/bHXHr0PSz93JQ2FGCj9+nKd+g4YmwKMD9QdmYdmsNCR qfOeSguPKEM3YK3if0K0T2SmxQxq13RZWFAdgN5hFXxzDa6xX2J5TVcu3FoiBHA4 21uqCQEWqJntvZYJKRtE9hBLTw1qHLpfDz8RdonQaAaRgwZV8k5WJ1+0ly+tm+3z I455bMmPiW6YMH92/1JLrP7WRT5O9QUb9Eaxya2gt04FBifuDF2SyuE/7kS4knsI K7oVp/YjYIhc0h8RO8YjhnXQShATZqxVApbYEXUNui1k+PYwDo1bu3grBCifZR6q aqghZeB1TLahB+vrf2O5zRlpbOv86jTD6U/9eN2TQ3XmfqjxPR5wRImX2CrSSBP8 +gSu89pIMwAFs5tmKyV0ayMTnyJkJqzxjeN/Gp0GTrjizzWJNz3QfE8FyOe302Y+ 4IJt5YgL8Eo=ONcY -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce