Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
- lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
- zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
- RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
- netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
- commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
- apache-commons-text: variable interpolation RCE (CVE-2022-42889)
- snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
- json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
- protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
- Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
- bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
- bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
- json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
- guava: insecure temporary directory creation (CVE-2023-2976)
- io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
- io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
- quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)