SB2022100556 - Multiple vulnerabilities in Red Hat AMQ Streams

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2020-36518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

2) Creation of Temporary File With Insecure Permissions (CVE-ID: CVE-2022-24823)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.

3) Deserialization of Untrusted Data (CVE-ID: CVE-2022-25647)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.

4) Resource exhaustion (CVE-ID: CVE-2022-34917)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote non-authenticated attacker with ability to establish a network connection with the Apache Kafka broker can consume all available memory resources on the system and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2022:6819