[RHSA-2023:5165-01] Important: Red Hat AMQ Streams 2.5.0 release and security update
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat AMQ Streams 2.5.0 release and security update
Advisory ID: RHSA-2023:5165-01
Product: Red Hat AMQ Streams
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5165
Issue date: 2023-09-14
CVE Names: CVE-2021-37136 CVE-2021-37137 CVE-2022-1471
CVE-2022-24823 CVE-2022-36944 CVE-2023-0482
CVE-2023-2976 CVE-2023-3635 CVE-2023-26048
CVE-2023-26049 CVE-2023-33201 CVE-2023-34453
CVE-2023-34454 CVE-2023-34455 CVE-2023-34462
====================================================================
1. Summary:
Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer
Portal.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.
Security Fix(es):
* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
* scala: deserialization gadget chain (CVE-2022-36944)
* DoS of the Okio client when handling a crafted GZIP archive
(CVE-2023-3635)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)
* guava: insecure temporary directory creation (CVE-2023-2976)
* Jetty servlets with multipart support may cause OOM error with client
requests (CVE-2023-26048)
* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies (CVE-2023-26049)
* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)
* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)
* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)
* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)
* Flaw in Netty's SniHandler while navigating TLS handshake; DoS
(CVE-2023-34462)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed ( https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2129809 - CVE-2022-36944 scala: deserialization gadget chain
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2215229 - CVE-2023-2976 guava: insecure temporary directory creation
2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling
2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()
2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies
5. JIRA issues fixed ( https://issues.redhat.com/):
ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0
6. References:
https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-24823
https://access.redhat.com/security/cve/CVE-2022-36944
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-3635
https://access.redhat.com/security/cve/CVE-2023-26048
https://access.redhat.com/security/cve/CVE-2023-26049
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/cve/CVE-2023-34453
https://access.redhat.com/security/cve/CVE-2023-34454
https://access.redhat.com/security/cve/CVE-2023-34455
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5
7. Contact:
The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
--
A Red Hat AMQ Streams 2.5.0 release and security update has been released.
