- Issued:
- 2024-05-21
- Updated:
- 2024-05-21
RHSA-2024:2944 - Important: AMQ Broker 7.12.0.OPR.1.GA Container Images release and security update
Synopsis
Important: AMQ Broker 7.12.0.OPR.1.GA Container Images release and security update
Type/Severity
Security Advisory Important
Topic
This is the multiarch release of the AMQ Broker 7.12.0 aligned Operator and associated container images on Red Hat Enterprise Linux 8 for the OpenShift Container Platform.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.
This release of Red Hat AMQ Broker 7.12.0 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
- (CVE-2023-24540) golang: html/template: improper handling of JavaScript whitespace
- (CVE-2021-43565) golang.org/x/crypto: empty plaintext packet causes panic
- (CVE-2022-21698) prometheus/client_golang: Denial of service using InstrumentHandlerCounter
- (CVE-2022-27664) golang: net/http: handle server errors after sending GOAWAY
- (CVE-2022-2879) golang: archive/tar: unbounded memory consumption when reading headers
- (CVE-2022-2880) golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
- (CVE-2022-41678) Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE
- (CVE-2022-41715) golang: regexp/syntax: limit memory used by parsing regexps
- (CVE-2022-41723) net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
- (CVE-2022-41724) golang: crypto/tls: large handshake records may cause panics
- (CVE-2022-41725) golang: net/http, mime/multipart: denial of service from excessive resource consumption
- (CVE-2023-24534) golang: net/http, net/textproto: denial of service from excessive memory allocation
- (CVE-2023-24536) golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
- (CVE-2023-24537) golang: go/parser: Infinite loop in parsing
- (CVE-2023-24538) golang: html/template: backticks not treated as string delimiters
- (CVE-2023-24539) golang: html/template: improper sanitization of CSS values
- (CVE-2023-29400) golang: html/template: improper handling of empty HTML attributes
- (CVE-2022-32189) golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
For information on supported configurations, see Red Hat AMQ Broker 7 Supported Configurations at https://access.redhat.com/articles/2791941
Solution
To update to the latest image please refer to the AMQ container images in the Red Hat Container catalog.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat OpenShift Container Platform | 4.9 | x86_64 |
| Red Hat OpenShift Container Platform | 4.8 | x86_64 |
| Red Hat OpenShift Container Platform | 4.7 | x86_64 |
| Red Hat OpenShift Container Platform | 4.6 | x86_64 |
| Red Hat OpenShift Container Platform | 4.5 | x86_64 |
| Red Hat OpenShift Container Platform | 4.4 | x86_64 |
| Red Hat OpenShift Container Platform | 4.3 | x86_64 |
| Red Hat OpenShift Container Platform | 4.2 | x86_64 |
| Red Hat OpenShift Container Platform | 4.1 | x86_64 |
| Red Hat OpenShift Container Platform | 4.12 | x86_64 |
| Red Hat OpenShift Container Platform | 4.11 | x86_64 |
| Red Hat OpenShift Container Platform | 4.10 | x86_64 |
| Red Hat OpenShift Container Platform for Power | 4.9 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.8 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.7 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.6 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.5 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.4 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.3 | ppc64le |
| Red Hat OpenShift Container Platform for Power | 4.10 | ppc64le |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.9 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.8 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.7 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.6 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.5 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.4 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.3 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.2 | s390x |
| Red Hat OpenShift Container Platform for IBM Z and LinuxONE | 4.10 | s390x |
| Red Hat OpenShift Container Platform for ARM 64 | 4.10 | aarch64 |
Fixes
- This content is not included.BZ - 2030787
- This content is not included.BZ - 2045880
- This content is not included.BZ - 2113814
- This content is not included.BZ - 2124669
- This content is not included.BZ - 2132867
- This content is not included.BZ - 2132868
- This content is not included.BZ - 2132872
- This content is not included.BZ - 2178358
- This content is not included.BZ - 2178488
- This content is not included.BZ - 2178492
- This content is not included.BZ - 2184481
- This content is not included.BZ - 2184482
- This content is not included.BZ - 2184483
- This content is not included.BZ - 2184484
- This content is not included.BZ - 2196026
- This content is not included.BZ - 2196027
- This content is not included.BZ - 2196029
- This content is not included.BZ - 2252185
- This content is not included.ENTMQBR-8264
- This content is not included.ENTMQBR-8457
- This content is not included.ENTMQBR-8893
- This content is not included.ENTMQBR-8881
- This content is not included.ENTMQBR-8752
- This content is not included.ENTMQBR-8678
- This content is not included.ENTMQBR-8387
- This content is not included.ENTMQBR-8316
- This content is not included.ENTMQBR-8989
- This content is not included.ENTMQBR-9023
- This content is not included.ENTMQBR-8064
- This content is not included.ENTMQBR-8664
- This content is not included.ENTMQBR-8465
- This content is not included.ENTMQBR-8971
CVEs
- CVE-2021-35937
- CVE-2021-35938
- CVE-2021-35939
- CVE-2021-43565
- CVE-2021-43618
- CVE-2022-2879
- CVE-2022-2880
- CVE-2022-21698
- CVE-2022-27664
- CVE-2022-32189
- CVE-2022-41678
- CVE-2022-41715
- CVE-2022-41723
- CVE-2022-41724
- CVE-2022-41725
- CVE-2023-6135
- CVE-2023-24534
- CVE-2023-24536
- CVE-2023-24537
- CVE-2023-24538
- CVE-2023-24539
- CVE-2023-24540
- CVE-2023-28322
- CVE-2023-29400
- CVE-2023-38546
- CVE-2023-46218
- CVE-2023-52425
- CVE-2024-2961
- CVE-2024-21011
- CVE-2024-21012
- CVE-2024-21068
- CVE-2024-21094
- CVE-2024-28834
References
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/documentation/en-us/red_hat_amq_broker/
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.