Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
scala: deserialization gadget chain (CVE-2022-36944)
json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)
netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data (CVE-2021-37136)
netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
netty: world readable temporary file containing sensitive data (CVE-2022-24823)
jettison: parser crash by stackoverflow (CVE-2022-40149)
jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
jackson-databind: use of deeply nested arrays (CVE-2022-42004)
Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)
jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.