SB2023051919 - Multiple vulnerabilities in Red Hat AMQ Streams 2.4

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023051919

SB2023051919 - Multiple vulnerabilities in Red Hat AMQ Streams 2.4

Published: May 19, 2023 Updated: February 11, 2025

Security Bulletin ID SB2023051919
Severity
High
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 77% Low 15%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2020-36518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.


2) Improper Certificate Validation (CVE-ID: CVE-2021-0341)

The vulnerability allows a remote attacker to perform MitM attack.

the vulnerability exists due to improper certificate validation within the verifyHostName in OkHostnameVerifier.java in okhttp library in Android runtime. A remote attacker can force the system to accept a certificate for the wrong domain due to improperly used crypto and perform MitM attack.


3) Resource exhaustion (CVE-ID: CVE-2021-37136)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in Bzip2 decompression decoder function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


4) Improper input validation (CVE-ID: CVE-2021-37137)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Content Acquisition System (Netty) component in Oracle Commerce Guided Search. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


5) Deserialization of Untrusted Data (CVE-ID: CVE-2021-46877)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized JsonNode values. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Note, the vulnerability affects JDK serialization only.


6) Creation of Temporary File With Insecure Permissions (CVE-ID: CVE-2022-24823)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.


7) Deserialization of Untrusted Data (CVE-ID: CVE-2022-36944)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data during Java object deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Out-of-bounds write (CVE-ID: CVE-2022-40149)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted XML or JSON data. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.


9) Resource exhaustion (CVE-ID: CVE-2022-40150)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing untrusted XML or JSON data. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


10) Deserialization of Untrusted Data (CVE-ID: CVE-2022-42003)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized data when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system.


11) Resource exhaustion (CVE-ID: CVE-2022-42004)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control usage of deeply nested arrays in BeanDeserializer._deserializeFromArray. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


12) Information disclosure (CVE-ID: CVE-2023-0833)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the OKHttp component. A remote user can send a specially crafted request to the server containing a header with an illegal value and disclose potentially sensitive information.


13) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References