Red Hat Product Errata RHSA-2024:9571 - Security Advisory
Issued:
2024-11-13
Updated:
2024-11-13

RHSA-2024:9571 - Security Advisory

Synopsis

Moderate: Streams for Apache Kafka 2.8.0 release and security update

Type/Severity

Security Advisory: Moderate

Topic

Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat
AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

  • Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2]

"(CVE-2024-8184)"

  • Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)"
  • Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)"
  • Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)"

"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)"

  • Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat AMQ Streams 2 for RHEL 9 x86_64
  • Red Hat AMQ Streams 2 for RHEL 9 s390x
  • Red Hat AMQ Streams 2 for RHEL 9 ppc64le
  • Red Hat AMQ Streams 2 for RHEL 9 aarch64

Fixes

  • BZ - 2272907 - CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling
  • BZ - 2308606 - CVE-2024-8285 kroxylicious: Missing upstream Kafka TLS hostname verification
  • BZ - 2313454 - CVE-2024-7254 protobuf: StackOverflow vulnerability in Protocol Buffers
  • BZ - 2316271 - CVE-2024-47554 apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader
  • BZ - 2318564 - CVE-2024-8184 org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
  • BZ - 2318565 - CVE-2024-9823 org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter
  • ENTMQST-6028 - Productise drain cleaner with the fix for CVE-2024-29025
  • ENTMQST-6421 - CVE-2024-47554 Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
  • ENTMQST-6422 - CVE-2024-7254 protobuf: StackOverflow vulnerability in Protocol Buffers
  • ASUI-91 - Console operator deployment name too general
  • ENTMQST-2632 - notifications and alerting when the user operator managed certificates are close to expiry
  • ENTMQST-3288 - Improvements to Quotas support
  • ENTMQST-4019 - Remove Bidirectional TO and ZooKeeper use from TO
  • ENTMQST-5199 - Allow declarative configuration of the default user quotas
  • ENTMQST-5669 - Should manual rolling update failure fail the whole reconciliation?
  • ENTMQST-5674 - JBOD support in KRaft mode
  • ENTMQST-5740 - RF Change
  • ENTMQST-5789 - Promote KafkaNodePools feature gate to GA
  • ENTMQST-5843 - Wrong parsing of SSL principal in Strimzi Quotas plugin
  • ENTMQST-5850 - MM2 connector auto-restarting does not seem to work
  • ENTMQST-5863 - Logging configuration is never updated for Connect when connector operator is disabled
  • ENTMQST-5865 - Duplicate volume IDs in JBOD storage cause Pod creation errors
  • ENTMQST-5915 - Promote the UseKRaft feature gate to GA
  • ENTMQST-6032 - Logging update does not effect for controllers until rolled manually
  • ENTMQST-6129 - Continuously generating secrets in the Kafka instance namespace on OCP 4.16
  • ENTMQST-6183 - Add support for Kafka 3.8
  • ENTMQST-6205 - Unnecessary CA replacement run with custom CA
  • ENTMQST-6225 - The correct pod might not be restarted during PVC resizing
  • ENTMQST-6341 - Topic Operator replication factor changes seem to conflict with Cruise Control rebalancing
  • ENTMQSTPR-43 - [#1339] : Record Encryption does not use new key material resulting from a rotation to encrypt newly produced records.

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.