-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat AMQ Streams 2.5.0 release and security update
Advisory ID:       RHSA-2023:5165-01
Product:           Red Hat AMQ Streams
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5165
Issue date:        2023-09-14
CVE Names:         CVE-2021-37136 CVE-2021-37137 CVE-2022-1471 
                   CVE-2022-24823 CVE-2022-36944 CVE-2023-0482 
                   CVE-2023-2976 CVE-2023-3635 CVE-2023-26048 
                   CVE-2023-26049 CVE-2023-33201 CVE-2023-34453 
                   CVE-2023-34454 CVE-2023-34455 CVE-2023-34462 
=====================================================================

1. Summary:

Red Hat AMQ Streams 2.5.0 is now available from the Red Hat Customer
Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a
distributed backbone that allows microservices and other applications to
share data with extremely high throughput and extremely low latency.

Security Fix(es):

* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
 
* scala: deserialization gadget chain (CVE-2022-36944)

* DoS of the Okio client when handling a crafted GZIP archive
(CVE-2023-3635)
 
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for
decompressed data (CVE-2021-37136)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty: world readable temporary file containing sensitive data
(CVE-2022-24823)

* guava: insecure temporary directory creation (CVE-2023-2976)

* Jetty servlets with multipart support may cause OOM error with client
requests (CVE-2023-26048)

* Nonstandard cookie parsing in Jetty may allow an attacker to smuggle
cookies within other cookies (CVE-2023-26049)

* bouncycastle: potential blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)

* snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)

* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)

* Flaw in Netty's SniHandler while navigating TLS handshake; DoS
(CVE-2023-34462)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data
2129809 - CVE-2022-36944 scala: deserialization gadget chain
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2215229 - CVE-2023-2976 guava: insecure temporary directory creation
2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS
2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS
2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS
2215465 - CVE-2023-33201 bouncycastle: potential  blind LDAP injection attack using a self-signed certificate
2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM
2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling
2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()
2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies

5. JIRA issues fixed (https://issues.redhat.com/):

ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0

6. References:

https://access.redhat.com/security/cve/CVE-2021-37136
https://access.redhat.com/security/cve/CVE-2021-37137
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-24823
https://access.redhat.com/security/cve/CVE-2022-36944
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-2976
https://access.redhat.com/security/cve/CVE-2023-3635
https://access.redhat.com/security/cve/CVE-2023-26048
https://access.redhat.com/security/cve/CVE-2023-26049
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/cve/CVE-2023-34453
https://access.redhat.com/security/cve/CVE-2023-34454
https://access.redhat.com/security/cve/CVE-2023-34455
https://access.redhat.com/security/cve/CVE-2023-34462
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.5.0
https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJlAyZSAAoJENzjgjWX9erEmRwQAIr30XliBoykJhsrfof3/YM7
dmC4a5RLefsM62tkqRzbQuEpMuD/sC7ODRe415g49vP3iwzj9siV+vN9wHR2+4uB
QivzIH+Ka2A7p7YoCpBrHqytibI7ZRQTyHvOLvTxm43VQ/m4G3PevdHs5q6gvUFS
JawbpjWQ3XbgfXe9JB0lgFxrLE+Xjqf8fkXWHRcJ42uW+4MA+1vVUnET28U4rHEh
qqX+BzcYL7Rx/CpxRj6ewAHRID59z2HsUgp+yNflb4hLqe+ByCyl169DlTMTMAvX
pYqthRb8EXx2MIGkInyz9GsRL5vnm684tZFYW62hgQKO1JQNF4dBxuQArDl9SNFm
P+zLfV7ShhhrSkEnBg81yVeRPkbFF/3oOurCxhWTsdb0ZUXHhY4EcOmJklPGTzg4
CSp86UrXE9XUGzTHnMc2/AUVDvhq6pqUj550UbdK5ijaEkuuTXUOkreqvb5DM1PS
4WbLJxcBsZEOYEzSflzA6cy5rLt7VLONIu8IoBNyrjbaY62UTOYXwtwb2pnL3BX0
ClCmxhawvrlhmVXupapG7X9FBNqTo1VqCMImLaGH5zvL9fOFbUOmsr4tpnAdy0dN
aqs7PftCiWcqTt+85nOzEaKGorWo45VIjomdLX0FDPLnIL5oLefr8eL0xOYYXeQa
dnMwz+Rga4GUk26e29q0
=V0cF
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce