RHSA-2024:2944 - Security Advisory

Topic

This is the multiarch release of the AMQ Broker 7.12.0 aligned Operator and associated container images on Red Hat Enterprise Linux 8 for the OpenShift Container Platform.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

This release of Red Hat AMQ Broker 7.12.0 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

• (CVE-2023-24540) golang: html/template: improper handling of JavaScript whitespace
• (CVE-2021-43565) golang.org/x/crypto: empty plaintext packet causes panic
• (CVE-2022-21698) prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• (CVE-2022-27664) golang: net/http: handle server errors after sending GOAWAY
• (CVE-2022-2879) golang: archive/tar: unbounded memory consumption when reading headers
• (CVE-2022-2880) golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• (CVE-2022-41678) Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE
• (CVE-2022-41715) golang: regexp/syntax: limit memory used by parsing regexps
• (CVE-2022-41723) net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
• (CVE-2022-41724) golang: crypto/tls: large handshake records may cause panics
• (CVE-2022-41725) golang: net/http, mime/multipart: denial of service from excessive resource consumption
• (CVE-2023-24534) golang: net/http, net/textproto: denial of service from excessive memory allocation
• (CVE-2023-24536) golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
• (CVE-2023-24537) golang: go/parser: Infinite loop in parsing
• (CVE-2023-24538) golang: html/template: backticks not treated as string delimiters
• (CVE-2023-24539) golang: html/template: improper sanitization of CSS values
• (CVE-2023-29400) golang: html/template: improper handling of empty HTML attributes
• (CVE-2022-32189) golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

For information on supported configurations, see Red Hat AMQ Broker 7 Supported Configurations at https://access.redhat.com/articles/2791941

Solution

To update to the latest image please refer to the AMQ container images in the Red Hat Container catalog.

Affected Products

• Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.5 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.4 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.3 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.2 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.1 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.5 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.4 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.3 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.5 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.4 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.3 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.2 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for ARM 64 4.10 aarch64

Fixes

• BZ - 2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic
• BZ - 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• BZ - 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
• BZ - 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• BZ - 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
• BZ - 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• BZ - 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• BZ - 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
• BZ - 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
• BZ - 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
• BZ - 2184481 - CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
• BZ - 2184482 - CVE-2023-24536 golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
• BZ - 2184483 - CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
• BZ - 2184484 - CVE-2023-24537 golang: go/parser: Infinite loop in parsing
• BZ - 2196026 - CVE-2023-24539 golang: html/template: improper sanitization of CSS values
• BZ - 2196027 - CVE-2023-24540 golang: html/template: improper handling of JavaScript whitespace
• BZ - 2196029 - CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
• BZ - 2252185 - CVE-2022-41678 Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE
• ENTMQBR-8264 - Setting EnableIngressTimestamp on OCP to valid value crashes broker
• ENTMQBR-8457 - AMQ Broker Operator overloads after deploymentPlan.labels number is more than eight
• ENTMQBR-8893 - Unexpected broker pod restarts caused by TRIGGERED_ROLL_COUNT
• ENTMQBR-8881 - Error: container has runAsNonRoot and image has non-numeric user (root)
• ENTMQBR-8752 - Failed to create new *v1.Ingress for ActiveMQArtemis CRs with the same name
• ENTMQBR-8678 - Missing selector in AMQ Broker Operator Deployment
• ENTMQBR-8387 - Custom login.config file could not be used with AMQ Broker Operator due to a validation error
• ENTMQBR-8316 - AMQ Broker Operator tries to contact unrelated pods if AMQAddress CR is created before AMQArtemis is
• ENTMQBR-8989 - Test artemis controller 2 persistent volumes tests external volumes attach fails
• ENTMQBR-9023 - Unable to set address settings using the CR
• ENTMQBR-8064 - Exposing AMQ Broker Deployed on OpenShift via Ingress Configuration Fails
• ENTMQBR-8664 - AMQ Broker operator pod not starting, with error "unable to retrieve the complete list of server APIs: external.metrics.k8s.io/v1beta1"
• ENTMQBR-8465 - initImage break the brokerProperties feature which lead to "missing status entry for keys: [broker.properties]"
• ENTMQBR-8971 - Add a CR validation to check for duplicate keys in the brokerProperties element

CVEs

• CVE-2021-35937
• CVE-2021-35938
• CVE-2021-35939
• CVE-2021-43565
• CVE-2021-43618
• CVE-2022-2879
• CVE-2022-2880
• CVE-2022-21698
• CVE-2022-27664
• CVE-2022-32189
• CVE-2022-41678
• CVE-2022-41715
• CVE-2022-41723
• CVE-2022-41724
• CVE-2022-41725
• CVE-2023-6135
• CVE-2023-24534
• CVE-2023-24536
• CVE-2023-24537
• CVE-2023-24538
• CVE-2023-24539
• CVE-2023-24540
• CVE-2023-28322
• CVE-2023-29400
• CVE-2023-38546
• CVE-2023-46218
• CVE-2023-52425
• CVE-2024-2961
• CVE-2024-21011
• CVE-2024-21012
• CVE-2024-21068
• CVE-2024-21094
• CVE-2024-28834

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_amq_broker/