RHSA-2024:3527 - Security Advisory

Topic

Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

• lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
• zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
• RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
• netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
• commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
• apache-commons-text: variable interpolation RCE (CVE-2022-42889)
• snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
• json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
• protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
• Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
• bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
• bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
• json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
• guava: insecure temporary directory creation (CVE-2023-2976)
• io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
• io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
• quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat AMQ Streams 2 for RHEL 9 x86_64
• Red Hat AMQ Streams 2 for RHEL 9 s390x
• Red Hat AMQ Streams 2 for RHEL 9 ppc64le
• Red Hat AMQ Streams 2 for RHEL 9 aarch64

Fixes

• BZ - 1928090 - CVE-2021-24032 zstd: Race condition allows attacker to access world-readable destination file
• BZ - 1954559 - CVE-2021-3520 lz4: memory corruption due to an integer overflow bug caused by memmove argument
• BZ - 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE
• BZ - 2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS
• BZ - 2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
• BZ - 2179864 - CVE-2022-4899 zstd: mysql: buffer overrun in util.c
• BZ - 2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
• BZ - 2215229 - CVE-2023-2976 guava: insecure temporary directory creation
• BZ - 2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate
• BZ - 2241722 - CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact
• BZ - 2251281 - CVE-2023-33202 bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class
• BZ - 2256063 - CVE-2023-51074 json-path: stack-based buffer overflow in Criteria.parse method
• BZ - 2260840 - CVE-2024-1023 io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx
• BZ - 2263139 - CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support
• BZ - 2264988 - CVE-2024-25710 commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file
• BZ - 2272907 - CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling
• BZ - 2273281 - CVE-2024-2700 quarkus-core: Leak of local configuration properties into Quarkus applications
• ENTMQST-5619 - [PROD] Create RHSA erratum for Streams 2.7.0
• ENTMQST-5881 - CVE-2021-3520 a flaw in lz4
• ENTMQST-5882 - CVE-2024-23944 Apache ZooKeeper: Information disclosure in persistent watcher handling
• ENTMQST-5883 - CVE-2021-24032 flaw was found in zstd
• ENTMQST-5884 - CVE-2022-4899 vulnerability was found in zstd v1.4.10
• ENTMQST-5885 - CVE-2023-52428 Nimbus JOSE+JWT before 9.37.2
• ENTMQST-5886 - CVE-2023-43642 flaw was found in SnappyInputStream in snappy-java

CVEs

• CVE-2021-3520
• CVE-2021-24032
• CVE-2022-3171
• CVE-2022-4899
• CVE-2022-42889
• CVE-2022-42920
• CVE-2023-1370
• CVE-2023-2976
• CVE-2023-33201
• CVE-2023-33202
• CVE-2023-43642
• CVE-2023-51074
• CVE-2024-1023
• CVE-2024-1300
• CVE-2024-2700
• CVE-2024-25710
• CVE-2024-29025

References

• https://access.redhat.com/security/updates/classification/#moderate