(RHSA-2024:2944) Important: AMQ Broker 7.12.0.OPR.1.GA Container Images release and security update

Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

This release of Red Hat AMQ Broker 7.12.0 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

• (CVE-2023-24540) golang: html/template: improper handling of JavaScript whitespace
• (CVE-2021-43565) golang.org/x/crypto: empty plaintext packet causes panic
• (CVE-2022-21698) prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• (CVE-2022-27664) golang: net/http: handle server errors after sending GOAWAY
• (CVE-2022-2879) golang: archive/tar: unbounded memory consumption when reading headers
• (CVE-2022-2880) golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• (CVE-2022-41678) Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE
• (CVE-2022-41715) golang: regexp/syntax: limit memory used by parsing regexps
• (CVE-2022-41723) net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
• (CVE-2022-41724) golang: crypto/tls: large handshake records may cause panics
• (CVE-2022-41725) golang: net/http, mime/multipart: denial of service from excessive resource consumption
• (CVE-2023-24534) golang: net/http, net/textproto: denial of service from excessive memory allocation
• (CVE-2023-24536) golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
• (CVE-2023-24537) golang: go/parser: Infinite loop in parsing
• (CVE-2023-24538) golang: html/template: backticks not treated as string delimiters
• (CVE-2023-24539) golang: html/template: improper sanitization of CSS values
• (CVE-2023-29400) golang: html/template: improper handling of empty HTML attributes
• (CVE-2022-32189) golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

For information on supported configurations, see Red Hat AMQ Broker 7 Supported Configurations at https://access.redhat.com/articles/2791941