(RHSA-2023:5165) Important: Red Hat AMQ Streams 2.5.0 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

Security Fix(es):

• snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

• scala: deserialization gadget chain (CVE-2022-36944)

• DoS of the Okio client when handling a crafted GZIP archive (CVE-2023-3635)

• netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data (CVE-2021-37136)

• netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)

• netty: world readable temporary file containing sensitive data (CVE-2022-24823)

• guava: insecure temporary directory creation (CVE-2023-2976)

• Jetty servlets with multipart support may cause OOM error with client requests (CVE-2023-26048)

• Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies (CVE-2023-26049)

• bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

• snappy-java: Integer overflow in shuffle leads to DoS (CVE-2023-34453)

• snappy-java: Integer overflow in compress leads to DoS (CVE-2023-34454)

• snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)

• Flaw in Netty’s SniHandler while navigating TLS handshake; DoS (CVE-2023-34462)

• RESTEasy: creation of insecure temp files (CVE-2023-0482)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.