(RHSA-2023:3223) Important: Red Hat AMQ Streams 2.4.0 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

• scala: deserialization gadget chain (CVE-2022-36944)

• json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)

• jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)

• okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)

• netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data (CVE-2021-37136)

• netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)

• jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

• netty: world readable temporary file containing sensitive data (CVE-2022-24823)

• jettison: parser crash by stackoverflow (CVE-2022-40149)

• jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

• jackson-databind: use of deeply nested arrays (CVE-2022-42004)

• Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)

• jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.