Red Hat 9062 Published by

A Red Hat AMQ Streams 2.5.0 release and security update has been released.



[RHSA-2023:5165-01] Important: Red Hat AMQ Streams 2.5.0 release and security update


====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat AMQ Streams 2.5.0 release and security update
Advisory ID: RHSA-2023:5165-01
Product: Red Hat AMQ Streams
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5165
Issue date: 2023-09-14
CVE Names: CVE-2021-37136 CVE-2021-37137 CVE-2022-1471
CVE-2022-24823 CVE-2022-36944 CVE-2023-0482
CVE-2023-2976 CVE-2023-3635 CVE-2023-26048
CVE-2023-26049 CVE-2023-33201 CVE-2023-34453
CVE-2023-34454 CVE-2023-34455 CVE-2023-34462
====================================================================
1. Summary:

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

Security Fix(es):

* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)

* scala: deserialization gadget chain (CVE-2022-36944)

* DoS of the Okio client when handling a crafted GZIP archive
(CVE-2023-3635)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)

* guava: insecure temporary directory creation (CVE-2023-2976)

* Jetty servlets with multipart support may cause OOM error with client
requests (CVE-2023-26048)

* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies (CVE-2023-26049)

* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)

* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)

* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)

* Flaw in Netty's SniHandler while navigating TLS handshake; DoS
(CVE-2023-34462)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed ( https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2129809 - CVE-2022-36944 scala: deserialization gadget chain
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2215229 - CVE-2023-2976 guava: insecure temporary directory creation
2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling
2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()
2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies

5. JIRA issues fixed ( https://issues.redhat.com/):

ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0

6. References:

https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-24823
https://access.redhat.com/security/cve/CVE-2022-36944
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-3635
https://access.redhat.com/security/cve/CVE-2023-26048
https://access.redhat.com/security/cve/CVE-2023-26049
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/cve/CVE-2023-34453
https://access.redhat.com/security/cve/CVE-2023-34454
https://access.redhat.com/security/cve/CVE-2023-34455
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5

7. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--