rhsa-2022_6819
Vulnerability from csaf_redhat
Published
2022-10-05 14:30
Modified
2024-11-15 14:57
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.2.0 release and security update

Notes

Topic
Red Hat AMQ Streams 2.2.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.2.0 serves as a replacement for Red Hat AMQ Streams 2.1.0, and includes security and bug fixes, and enhancements. Security Fix(es): * kafka: Unauthenticated clients may cause OutOfMemoryError on brokers (CVE-2022-34917) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * netty: world readable temporary file containing sensitive data (CVE-2022-24823) * com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat AMQ Streams 2.2.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.2.0 serves as a replacement for Red Hat AMQ Streams 2.1.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* kafka: Unauthenticated clients may cause OutOfMemoryError on brokers (CVE-2022-34917)\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* netty: world readable temporary file containing sensitive data (CVE-2022-24823)\n\n* com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:6819",
        "url": "https://access.redhat.com/errata/RHSA-2022:6819"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=2.2.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=2.2.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.2",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.2"
      },
      {
        "category": "external",
        "summary": "2064698",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
      },
      {
        "category": "external",
        "summary": "2080850",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2080850"
      },
      {
        "category": "external",
        "summary": "2087186",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087186"
      },
      {
        "category": "external",
        "summary": "2130018",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130018"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6819.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat AMQ Streams 2.2.0 release and security update",
    "tracking": {
      "current_release_date": "2024-11-15T14:57:17+00:00",
      "generator": {
        "date": "2024-11-15T14:57:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2022:6819",
      "initial_release_date": "2022-10-05T14:30:17+00:00",
      "revision_history": [
        {
          "date": "2022-10-05T14:30:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-10-05T14:30:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T14:57:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat AMQ Streams 2.2.0",
                "product": {
                  "name": "Red Hat AMQ Streams 2.2.0",
                  "product_id": "Red Hat AMQ Streams 2.2.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss AMQ"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-36518",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2022-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2064698"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: denial of service via a large depth of nested objects",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AMQ Streams 2.2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-36518"
        },
        {
          "category": "external",
          "summary": "RHBZ#2064698",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
          "url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
        }
      ],
      "release_date": "2020-08-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-05T14:30:17+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat AMQ Streams 2.2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6819"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AMQ Streams 2.2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: denial of service via a large depth of nested objects"
    },
    {
      "cve": "CVE-2022-24823",
      "cwe": {
        "id": "CWE-379",
        "name": "Creation of Temporary File in Directory with Insecure Permissions"
      },
      "discovery_date": "2022-05-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2087186"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: world readable temporary file containing sensitive data",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AMQ Streams 2.2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-24823"
        },
        {
          "category": "external",
          "summary": "RHBZ#2087186",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087186"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24823",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-24823"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823"
        }
      ],
      "release_date": "2022-05-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-05T14:30:17+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat AMQ Streams 2.2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6819"
        },
        {
          "category": "workaround",
          "details": "As a workaround, specify one\u0027s own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.",
          "product_ids": [
            "Red Hat AMQ Streams 2.2.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat AMQ Streams 2.2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "netty: world readable temporary file containing sensitive data"
    },
    {
      "cve": "CVE-2022-25647",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2022-05-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2080850"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes. This issue may lead to availability attacks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AMQ Streams 2.2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-25647"
        },
        {
          "category": "external",
          "summary": "RHBZ#2080850",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2080850"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25647",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647"
        }
      ],
      "release_date": "2022-05-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-05T14:30:17+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat AMQ Streams 2.2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6819"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AMQ Streams 2.2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson"
    },
    {
      "cve": "CVE-2022-34917",
      "cwe": {
        "id": "CWE-789",
        "name": "Memory Allocation with Excessive Size Value"
      },
      "discovery_date": "2022-09-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2130018"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Kafka that allows malicious unauthenticated clients to allocate large amounts of memory on brokers, which could lead to an Out Of Memory Exception, causing a denial of service. Various authentication methods were affected in different degrees. In Kafka clusters without authentication, any client able to connect to a broker could trigger the issue. In Kafka clusters with SASL authentication, any client able to connect to a broker without the need for valid SASL credentials could trigger the issue. Lastly, in Kafka clusters with TLS authentication, only clients able to successfully authenticate via TLS could trigger the issue.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat AMQ Streams 2.2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-34917"
        },
        {
          "category": "external",
          "summary": "RHBZ#2130018",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130018"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-34917",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-34917"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34917",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34917"
        }
      ],
      "release_date": "2022-09-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-05T14:30:17+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat AMQ Streams 2.2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6819"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat AMQ Streams 2.2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Kafka: Unauthenticated clients may cause OutOfMemoryError on brokers"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.