(RHSA-2023:7678) Important: Red Hat AMQ Streams 2.6.0 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.6.0 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

• JSON-java: parser confusion leads to OOM (CVE-2023-5072)

• spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry (CVE-2023-20873)

• zookeeper: Authorization Bypass in Apache ZooKeeper (CVE-2023-44981)

• apache-ivy: XML External Entity vulnerability (CVE-2022-46751)

• guava: insecure temporary directory creation (CVE-2023-2976)

• jose4j: Insecure iteration count setting (CVE-2023-31582)

• bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

• jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

• tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

• gradle: Possible local text file exfiltration by XML External entity injection (CVE-2023-42445)

• gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations (CVE-2023-44387)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.