Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.6.0 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.
Security Fix(es):
* JSON-java: parser confusion leads to OOM (CVE-2023-5072)
* spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry (CVE-2023-20873)
* zookeeper: Authorization Bypass in Apache ZooKeeper (CVE-2023-44981)
* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
* guava: insecure temporary directory creation (CVE-2023-2976)
* jose4j: Insecure iteration count setting (CVE-2023-31582)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)
* gradle: Possible local text file exfiltration by XML External entity injection (CVE-2023-42445)
* gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations (CVE-2023-44387)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2022-46751: XML Injection (aka Blind XPath Injection) (CWE-91) CVE-2023-2976: Files or Directories Accessible to External Parties (CWE-552) CVE-2023-5072: Allocation of Resources Without Limits or Throttling (CWE-770) CVE-2023-20873: Improper Access Control (CWE-284) CVE-2023-31582: Insufficient Entropy (CWE-331) CVE-2023-33201: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) CVE-2023-40167: Improper Handling of Length Parameter Inconsistency (CWE-130) CVE-2023-41080: URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) CVE-2023-42445: Improper Restriction of XML External Entity Reference (CWE-611) CVE-2023-44387: Incorrect Permission Assignment for Critical Resource (CWE-732) CVE-2023-44981: Authorization Bypass Through User-Controlled Key (CWE-639)
|