CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
98.5%
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.
Security Fix(es):
Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys
. Within sbt’s main code, IO.unzip
is used in pullRemoteCache
task and Resolvers.remote
; however many projects use IO.unzip(...)
directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)
ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
(CVE-2024-23944)
ZooKeeper: Authorization Bypass in Apache ZooKeeper amq-st-2
Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)
Kafka: snappy-java: Unchecked chunk length leads to DoS amq-st-2, (CVE-2024-27309), (CVE-2024-31141)
Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)
Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)
Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)
Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)
Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)
Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)
Cruise Control: Bump snappy-java to fix (CVE-2023-43642)
Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)
Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)
Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)