Red Hat 9062 Published by

A Red Hat AMQ Streams 1.8.0 release and security update has been released.



RHSA-2021:3225-01: Moderate: Red Hat AMQ Streams 1.8.0 release and security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat AMQ Streams 1.8.0 release and security update
Advisory ID: RHSA-2021:3225-01
Product: Red Hat JBoss AMQ
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3225
Issue date: 2021-08-19
CVE Names: CVE-2017-18640 CVE-2021-21290 CVE-2021-21295
CVE-2021-21409 CVE-2021-27568 CVE-2021-28163
CVE-2021-28164 CVE-2021-28165 CVE-2021-28168
CVE-2021-28169 CVE-2021-29425 CVE-2021-34428
=====================================================================

1. Summary:

Red Hat AMQ Streams 1.8.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red
Hat AMQ Streams 1.7.0, and includes security and bug fixes, and
enhancements.

Security Fix(es):

* snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640)

* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)

* netty: possible request smuggling in HTTP/2 due missing validation
(CVE-2021-21295)

* netty: Request smuggling via content-length header (CVE-2021-21409)

* json-smart: uncaught exception may lead to crash or information
disclosure (CVE-2021-27568)

* jetty: Symlink directory exposes webapp directory contents
(CVE-2021-28163)

* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

* jetty: Resource exhaustion when receiving an invalid large TLS frame
(CVE-2021-28165)

* jersey: Local information disclosure via system temporary directory
(CVE-2021-28168)

* jetty: requests to the ConcatServlet and WelcomeFilter are able to access
protected resources within the WEB-INF directory (CVE-2021-28169)

* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
(CVE-2021-29425)

* jetty: SessionListener can prevent a session from being invalidated
breaking logout (CVE-2021-34428)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (  https://bugzilla.redhat.com/):

1785376 - CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame
1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
1953024 - CVE-2021-28168 jersey: Local information disclosure via system temporary directory
1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout

5. References:

  https://access.redhat.com/security/cve/CVE-2017-18640
  https://access.redhat.com/security/cve/CVE-2021-21290
  https://access.redhat.com/security/cve/CVE-2021-21295
  https://access.redhat.com/security/cve/CVE-2021-21409
  https://access.redhat.com/security/cve/CVE-2021-27568
  https://access.redhat.com/security/cve/CVE-2021-28163
  https://access.redhat.com/security/cve/CVE-2021-28164
  https://access.redhat.com/security/cve/CVE-2021-28165
  https://access.redhat.com/security/cve/CVE-2021-28168
  https://access.redhat.com/security/cve/CVE-2021-28169
  https://access.redhat.com/security/cve/CVE-2021-29425
  https://access.redhat.com/security/cve/CVE-2021-34428
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=1.8.0

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.