Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of
 Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed
 backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat
 AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.

Security Fix(es):

* lz4: memory corruption due to an integer overflow bug caused by memmove
 argument  (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination
 file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c  (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling  (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a
 corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can
 lead to Denial of Service (DoS) impact  (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
 (Resource Exhaustion)  (CVE-2023-1370)
*  protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing 
 (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in
 org.bouncycastle.openssl.PEMParser class  (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed
 certificate  (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method 
 (CVE-2023-51074)
* guava: insecure temporary directory creation  (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and
 SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data
 structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus
 applications  (CVE-2024-2700)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2021-3520: Out-of-bounds Write (CWE-787)
CVE-2021-24032: Improper Preservation of Permissions (CWE-281)
CVE-2022-3171: Improper Input Validation (CWE-20)
CVE-2022-4899: Uncontrolled Resource Consumption (CWE-400)
CVE-2022-42889: Initialization of a Resource with an Insecure Default
 (CWE-1188)
CVE-2022-42920: Out-of-bounds Write (CWE-787)
CVE-2023-1370: Uncontrolled Recursion (CWE-674)
CVE-2023-2976: Files or Directories Accessible to External Parties (CWE-552)
CVE-2023-33201: Exposure of Sensitive Information to an Unauthorized Actor
 (CWE-200)
CVE-2023-33202: Uncontrolled Resource Consumption (CWE-400)
CVE-2023-43642: Allocation of Resources Without Limits or Throttling (CWE-770)
CVE-2023-51074: Stack-based Buffer Overflow (CWE-121)
CVE-2024-1023: Improper Restriction of Operations within the Bounds of a Memory
 Buffer (CWE-119)
CVE-2024-1300: Uncontrolled Resource Consumption (CWE-400)
CVE-2024-2700: Cleartext Storage of Sensitive Information in an Environment
 Variable (CWE-526)
CVE-2024-25710: Loop with Unreachable Exit Condition ('Infinite Loop')
 (CWE-835)
CVE-2024-29025: Allocation of Resources Without Limits or Throttling (CWE-770)