(RHSA-2024:6536) Moderate: Red Hat AMQ Streams 2.5.2 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.5.2 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

• Scala: sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys. Within sbt’s main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.(CVE-2023-46122)

• ZooKeeper: Information disclosure in persistent watcher handling. Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
  (CVE-2024-23944)

• ZooKeeper: Authorization Bypass in Apache ZooKeeper amq-st-2

• Snappy: flaw was found in SnappyInputStream in snappy-java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS) (CVE-2023-43642)

• Kafka: snappy-java: Unchecked chunk length leads to DoS amq-st-2, (CVE-2024-27309), (CVE-2024-31141)

• Strimzi Operators: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

• Strimzi Bridge: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

• Strimzi Bridge: netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

• Strimzi Bridge: vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

• Strimzi Bridge: netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (CVE-2023-44487)

• Strimzi Bridge: Bump snappy-java to fix (CVE-2023-43642)

• Strimzi OAuth: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. (CVE-2023-52428)

• Cruise Control: flaw was found in SnappyInputStream in snappy-java (CVE-2023-43642)

• Cruise Control: jose4j- denial of service via specially crafted JWE (CVE-2023-51775)

• Cruise Control: Bump snappy-java to fix (CVE-2023-43642)

• Cruise Control: cruise-control reported a high-sev json vulnerability (CVE-2023-5072)

• Cruise Control: Nimbus JOSE+JWT before 9.37.2 (CVE-2023-52428)

• Strimzi Kafka Kubernetes Config Provider: Bump snappy-java to fix (CVE-2023-43642)