RHSA-2024:6536 - Security Advisory

Topic

Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

• Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)
• ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.

(CVE-2024-23944)

• ZooKeeper: Authorization Bypass in Apache ZooKeeper [amq-st-2](CVE-2023-44981)
• Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)
• Kafka: snappy-java: Unchecked chunk length leads to DoS [amq-st-2](CVE-2023-34455), (CVE-2024-27309)
• Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
• Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)
• Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
• Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
• Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)
• Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)
• Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)
• Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)
• Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)
• Cruise Control: Bump snappy-java to fix (CVE-2023-43642)
• Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)
• Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)
• Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat AMQ Streams 2 for RHEL 8 x86_64
• Red Hat AMQ Streams 2 for RHEL 8 s390x
• Red Hat AMQ Streams 2 for RHEL 8 ppc64le
• Red Hat AMQ Streams 2 for RHEL 8 aarch64

Fixes

• BZ - 2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
• BZ - 2241722 - CVE-2023-43642 snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact
• BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
• BZ - 2243436 - CVE-2023-44981 zookeeper: Authorization Bypass in Apache ZooKeeper
• BZ - 2246417 - CVE-2023-5072 JSON-java: parser confusion leads to OOM
• BZ - 2263139 - CVE-2024-1300 io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support
• BZ - 2266921 - CVE-2023-51775 jose4j: denial of service via specially crafted JWE
• BZ - 2272907 - CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling
• BZ - 2309764 - CVE-2023-52428 nimbus-jose-jwt: large JWE p2c header value causes Denial of Service
• BZ - 2328637 - CVE-2024-23944 Apache-ZooKeeper: Apache ZooKeeper: Information disclosure in persistent watcher handling
• ENTMQST-5366 - Bump snappy-java to fix CVE-2023-43642
• ENTMQST-5882 - CVE-2024-23944 Apache ZooKeeper: Information disclosure in persistent watcher handling
• ENTMQST-5885 - CVE-2023-52428 Nimbus JOSE+JWT before 9.37.2
• ENTMQST-5886 - CVE-2023-43642 flaw was found in SnappyInputStream in snappy-java
• ENTMQST-6235 - CVE-2023-46122

CVEs

• CVE-2023-5072
• CVE-2023-34455
• CVE-2023-43642
• CVE-2023-44487
• CVE-2023-44981
• CVE-2023-46122
• CVE-2023-51775
• CVE-2023-52428
• CVE-2024-1300
• CVE-2024-23944
• CVE-2024-27309
• CVE-2024-29025

References

• https://access.redhat.com/security/updates/classification/#moderate