(RHSA-2021:3225) Moderate: Red Hat AMQ Streams 1.8.0 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red Hat AMQ Streams 1.7.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

• snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640)

• netty: Information disclosure via the local system temporary directory (CVE-2021-21290)

• netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)

• netty: Request smuggling via content-length header (CVE-2021-21409)

• json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)

• jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

• jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

• jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

• jersey: Local information disclosure via system temporary directory (CVE-2021-28168)

• jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)

• apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)

• jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.