Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2023:3223
HistoryMay 18, 2023 - 9:51 a.m.

(RHSA-2023:3223) Important: Red Hat AMQ Streams 2.4.0 release and security update

2023-05-1809:51:45
access.redhat.com
22
red hat
amq streams
apache kafka
microservices
security
bug fixes
enhancements
scala
json-smart
jackson-databind
okhttp
netty-codec
netty
cve-2022-36944
cve-2023-1370
cve-2020-36518
cve-2021-0341
cve-2021-37136
cve-2021-37137
cve-2021-46877
cve-2022-24823
cve-2022-40149
cve-2022-42003
cve-2022-42004
cve-2023-0833
cve-2022-40150

0.97 High

EPSS

Percentile

99.8%

JSON

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

  • scala: deserialization gadget chain (CVE-2022-36944)

  • json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)

  • jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)

  • okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)

  • netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data (CVE-2021-37136)

  • netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)

  • jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

  • netty: world readable temporary file containing sensitive data (CVE-2022-24823)

  • jettison: parser crash by stackoverflow (CVE-2022-40149)

  • jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

  • jackson-databind: use of deeply nested arrays (CVE-2022-42004)

  • Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)

  • jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Related

ibm 64
openvas 10
mageia 1
nessus 24
debian 5
osv 19
redhat 7
gentoo 1
freebsd 2
ubuntu 1
cve 5
nvd 4
prion 6
fedora 2
veracode 6
cvelist 5
github 6
debiancve 4
githubexploit 2
suse 1
ubuntucve 4
wolfi 1
redhatcve 5
atlassian 5
cnvd 1
nuclei 1
zdt 1
amazon 1
cgr 1
almalinux 1
oraclelinux 2
rocky 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities has been identified in FasterXML jackson-databind affect IBM Engineering Lifecycle Optimization - Publishing
2023-10-04 07:59:53
Security Bulletin: There are several vulnerabilities in jackson-databind used by IBM Maximo Asset Management (CVE-2022-42003, CVE-2022-42004, CVE-2020-36518)
2023-05-31 23:38:22
Security Bulletin: Vulnerability in Jettison affects IBM Process Mining . Multiple CVEs
2024-01-05 16:45:03
openvas
openvas
Debian: Security Advisory (DSA-5283-1)
2022-11-18 00:00:00
Mageia: Security Advisory (MGASA-2024-0069)
2024-03-18 00:00:00
Debian: Security Advisory (DLA-3207-1)
2022-11-28 00:00:00
mageia
mageia
Updated jackson-databind packages fix security vulnerabilities
2024-03-16 19:28:17
nessus
nessus
Debian DSA-5283-1 : jackson-databind - security update
2022-11-18 00:00:00
Debian DLA-3207-1 : jackson-databind - LTS security update
2022-11-27 00:00:00
RHEL 8 : jboss-on (Unpatched Vulnerability)
2024-06-03 00:00:00
debian
debian
[SECURITY] [DSA 5283-1] jackson-databind security update
2022-11-17 11:17:07
[SECURITY] [DLA 3207-1] jackson-databind security update
2022-11-27 18:53:52
[SECURITY] [DSA 5312-1] libjettison-java security update
2023-01-10 23:10:35
osv
osv
jackson-databind - security update
2022-11-27 00:00:00
jackson-databind - security update
2022-11-17 00:00:00
libjettison-java vulnerabilities
2023-06-19 11:39:43
redhat
redhat
(RHSA-2021:3959) Moderate: Red Hat build of Eclipse Vert.x 4.1.5 security update
2021-11-10 16:37:03
(RHSA-2021:4851) Low: Red Hat AMQ Broker 7.9.1 release and security update
2021-11-30 08:40:21
(RHSA-2023:1241) Moderate: Red Hat AMQ Streams 2.2.1 release and security update
2023-03-14 18:46:27
gentoo
gentoo
FasterXML jackson-databind: Multiple vulnerabilities
2022-10-31 00:00:00
freebsd
freebsd
cassandra3 -- multiple vulnerabilities
2023-01-11 00:00:00
kafka -- Denial Of Service vulnerability
2022-03-11 00:00:00
ubuntu
ubuntu
Jettison vulnerabilities
2023-06-19 00:00:00
cve
cve
CVE-2023-25194
2023-02-07 20:15:09
CVE-2022-36944
2022-09-23 18:15:10
CVE-2022-40149
2022-09-16 10:15:09
nvd
nvd
CVE-2022-36944
2022-09-23 18:15:10
CVE-2021-37137
2021-10-19 15:15:07
CVE-2021-37136
2021-10-19 15:15:07
prion
prion
Deserialization of untrusted data
2022-09-23 18:15:00
Memory corruption
2021-10-19 15:15:00
Input validation
2022-09-16 10:15:00
fedora
fedora
[SECURITY] Fedora 35 Update: scala-2.13.9-1.fc35
2022-10-05 01:05:09
[SECURITY] Fedora 36 Update: scala-2.13.9-1.fc36
2022-10-05 01:02:05
veracode
veracode
Deserialization Of Untrusted Data
2022-09-29 04:29:54
Denial Of Service(DoS)
2021-09-10 06:32:27
Denial Of Service(DoS)
2021-09-10 06:15:09
cvelist
cvelist
CVE-2022-36944
2022-09-23 00:00:00
CVE-2021-37136
2021-10-19 00:00:00
CVE-2021-37137
2021-10-19 00:00:00
github
github
Bzip2Decoder doesn't allow setting size restrictions for decompressed data
2021-09-09 17:11:21
Jettison parser crash by stackoverflow
2022-09-17 00:00:41
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
2022-09-25 00:00:20
debiancve
debiancve
CVE-2021-37136
2021-10-19 15:15:07
CVE-2022-36944
2022-09-23 18:15:10
CVE-2022-40149
2022-09-16 10:15:09
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Kafka Connect
2024-04-17 13:36:34
Exploit for Deserialization of Untrusted Data in Apache Kafka Connect
2023-12-28 04:24:02
suse
suse
Security update for netty (important)
2022-04-20 00:00:00
ubuntucve
ubuntucve
CVE-2022-36944
2022-09-23 00:00:00
CVE-2021-37137
2021-10-19 00:00:00
CVE-2021-37136
2021-10-19 00:00:00
wolfi
wolfi
CVE-2020-36518 vulnerabilities
2024-05-29 03:07:31
redhatcve
redhatcve
CVE-2022-36944
2023-05-11 16:52:42
CVE-2021-37136
2021-09-14 15:09:07
CVE-2021-37137
2021-09-14 15:09:07
atlassian
atlassian
Apache Kafka Connect API Vulnerability in Bitbucket Data Center and Server
2023-10-06 17:45:41
DoS (Denial of Service) org.codehaus.jettison:jettison Dependency in Jira Software Data Center and Server
2024-02-14 10:46:54
jackson-databind Vulnerability in Bamboo Data Center and Server
2023-10-06 17:44:47
cnvd
cnvd
Apache Kafka code issue vulnerability (CNVD-2023-23554)
2023-02-17 00:00:00
nuclei
nuclei
Apache Druid Kafka Connect - Remote Code Execution
2023-04-23 20:43:19
zdt
zdt
Apache Druid JNDI Injection Remote Code Execution Exploit
2023-06-27 00:00:00
amazon
amazon
Medium: jettison
2023-11-29 22:20:00
cgr
cgr
CVE-2022-24823 vulnerabilities
2024-05-19 03:07:16
almalinux
almalinux
Moderate: jackson security update
2023-05-09 00:00:00
oraclelinux
oraclelinux
jackson security update
2023-05-15 00:00:00
pki-core:10.6 and pki-deps:10.6 security update
2024-05-24 00:00:00
rocky
rocky
pki-core:10.6 and pki-deps:10.6 security update
2024-06-14 13:59:30

0.97 High

EPSS

Percentile

99.8%

JSON
Related for RHSA-2023:3223
ibm64openvas10mageia1nessus24debian5osv19redhat7gentoo1freebsd2ubuntu1cve5nvd4prion6fedora2veracode6cvelist5github6debiancve4githubexploit2suse1ubuntucve4wolfi1redhatcve5atlassian5cnvd1nuclei1zdt1amazon1cgr1almalinux1oraclelinux2rocky1