Lucene search

K
redhatRedHatRHSA-2024:3527
HistoryMay 30, 2024 - 8:22 p.m.

(RHSA-2024:3527) Moderate: Red Hat AMQ Streams 2.7.0 release and security update

2024-05-3020:22:55
access.redhat.com
23
red hat
amq streams
apache kafka
security
bug fixes
enhancements
cve-2021-3520
cve-2021-24032
cve-2022-4899
cve-2024-29025
cve-2024-25710
cve-2022-42889
cve-2023-43642
cve-2023-1370
cve-2022-3171
cve-2022-42920
cve-2023-33202
cve-2023-33201
cve-2023-51074
cve-2023-2976
cve-2024-1300
cve-2024-1023
cve-2024-2700
unix

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.971

Percentile

99.8%

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

  • lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
  • zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
  • RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
  • netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
  • commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
  • apache-commons-text: variable interpolation RCE (CVE-2022-42889)
  • snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
  • json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
  • protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
  • Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
  • bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
  • bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
  • json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
  • guava: insecure temporary directory creation (CVE-2023-2976)
  • io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
  • io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
  • quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.971

Percentile

99.8%