Important: Red Hat AMQ Streams 2.6.0 release and security update

Topic

Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.6.0 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

• JSON-java: parser confusion leads to OOM (CVE-2023-5072)
• spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry (CVE-2023-20873)
• zookeeper: Authorization Bypass in Apache ZooKeeper (CVE-2023-44981)
• apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
• guava: insecure temporary directory creation (CVE-2023-2976)
• jose4j: Insecure iteration count setting (CVE-2023-31582)
• bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
• jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
• tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)
• gradle: Possible local text file exfiltration by XML External entity injection (CVE-2023-42445)
• gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations (CVE-2023-44387)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

The References section of this erratum contains a download link (you must log in to download the update).

Affected Products

• Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

• BZ - 2215229 - CVE-2023-2976 guava: insecure temporary directory creation
• BZ - 2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate
• BZ - 2231491 - CVE-2023-20873 spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
• BZ - 2233112 - CVE-2022-46751 apache-ivy: XML External Entity vulnerability
• BZ - 2235370 - CVE-2023-41080 tomcat: Open Redirect vulnerability in FORM authentication
• BZ - 2239634 - CVE-2023-40167 jetty: Improper validation of HTTP/1 content-length
• BZ - 2242485 - CVE-2023-44387 gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations
• BZ - 2242538 - CVE-2023-42445 gradle: Possible local text file exfiltration by XML External entity injection
• BZ - 2243436 - CVE-2023-44981 zookeeper: Authorization Bypass in Apache ZooKeeper
• BZ - 2246370 - CVE-2023-31582 jose4j: Insecure iteration count setting
• BZ - 2246417 - CVE-2023-5072 JSON-java: parser confusion leads to OOM

CVEs

• CVE-2022-46751
• CVE-2023-2976
• CVE-2023-5072
• CVE-2023-20873
• CVE-2023-31582
• CVE-2023-33201
• CVE-2023-40167
• CVE-2023-41080
• CVE-2023-42445
• CVE-2023-44387
• CVE-2023-44981

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.6.0