Issued:: 2024-05-30
Updated:: 2024-05-30

RHSA-2024:3527 - Moderate: Red Hat AMQ Streams 2.7.0 release and security update

Synopsis

Moderate: Red Hat AMQ Streams 2.7.0 release and security update

Type/Severity

Security Advisory Moderate

Topic

Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
apache-commons-text: variable interpolation RCE (CVE-2022-42889)
snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
guava: insecure temporary directory creation (CVE-2023-2976)
io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Product	Version	Arch
Red Hat AMQ Streams	2	x86_64
Red Hat AMQ Streams	2	s390x
Red Hat AMQ Streams	2	ppc64le
Red Hat AMQ Streams	2	aarch64

Fixes

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.