rhsa-2024:9571
Vulnerability from csaf_redhat
Published
2024-11-13 16:21
Modified
2025-10-23 23:58
Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update

Notes

Topic
Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)" * Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)" * Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)" * Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)" "Drain Cleaner: Awaiting Analysis(CVE-2024-29025)" * Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:9571",
        "url": "https://access.redhat.com/errata/RHSA-2024:9571"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2272907",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
      },
      {
        "category": "external",
        "summary": "2308606",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
      },
      {
        "category": "external",
        "summary": "2313454",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
      },
      {
        "category": "external",
        "summary": "2316271",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
      },
      {
        "category": "external",
        "summary": "2318564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
      },
      {
        "category": "external",
        "summary": "2318565",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
      },
      {
        "category": "external",
        "summary": "ASUI-91",
        "url": "https://issues.redhat.com/browse/ASUI-91"
      },
      {
        "category": "external",
        "summary": "ENTMQST-2632",
        "url": "https://issues.redhat.com/browse/ENTMQST-2632"
      },
      {
        "category": "external",
        "summary": "ENTMQST-3288",
        "url": "https://issues.redhat.com/browse/ENTMQST-3288"
      },
      {
        "category": "external",
        "summary": "ENTMQST-4019",
        "url": "https://issues.redhat.com/browse/ENTMQST-4019"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5199",
        "url": "https://issues.redhat.com/browse/ENTMQST-5199"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5669",
        "url": "https://issues.redhat.com/browse/ENTMQST-5669"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5674",
        "url": "https://issues.redhat.com/browse/ENTMQST-5674"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5740",
        "url": "https://issues.redhat.com/browse/ENTMQST-5740"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5789",
        "url": "https://issues.redhat.com/browse/ENTMQST-5789"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5843",
        "url": "https://issues.redhat.com/browse/ENTMQST-5843"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5850",
        "url": "https://issues.redhat.com/browse/ENTMQST-5850"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5863",
        "url": "https://issues.redhat.com/browse/ENTMQST-5863"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5865",
        "url": "https://issues.redhat.com/browse/ENTMQST-5865"
      },
      {
        "category": "external",
        "summary": "ENTMQST-5915",
        "url": "https://issues.redhat.com/browse/ENTMQST-5915"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6028",
        "url": "https://issues.redhat.com/browse/ENTMQST-6028"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6032",
        "url": "https://issues.redhat.com/browse/ENTMQST-6032"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6129",
        "url": "https://issues.redhat.com/browse/ENTMQST-6129"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6183",
        "url": "https://issues.redhat.com/browse/ENTMQST-6183"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6205",
        "url": "https://issues.redhat.com/browse/ENTMQST-6205"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6225",
        "url": "https://issues.redhat.com/browse/ENTMQST-6225"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6341",
        "url": "https://issues.redhat.com/browse/ENTMQST-6341"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6421",
        "url": "https://issues.redhat.com/browse/ENTMQST-6421"
      },
      {
        "category": "external",
        "summary": "ENTMQST-6422",
        "url": "https://issues.redhat.com/browse/ENTMQST-6422"
      },
      {
        "category": "external",
        "summary": "ENTMQSTPR-43",
        "url": "https://issues.redhat.com/browse/ENTMQSTPR-43"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json"
      }
    ],
    "title": "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update",
    "tracking": {
      "current_release_date": "2025-10-23T23:58:29+00:00",
      "generator": {
        "date": "2025-10-23T23:58:29+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.9"
        }
      },
      "id": "RHSA-2024:9571",
      "initial_release_date": "2024-11-13T16:21:03+00:00",
      "revision_history": [
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-11-13T16:21:03+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-10-23T23:58:29+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Streams for Apache Kafka 2.8.0",
                "product": {
                  "name": "Streams for Apache Kafka 2.8.0",
                  "product_id": "Streams for Apache Kafka 2.8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:amq_streams:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Streams for Apache Kafka"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-09-19T01:20:29.981665+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2313454"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "RHBZ#2313454",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "release_date": "2024-09-19T01:15:10.963000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
    },
    {
      "cve": "CVE-2024-8184",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:01.239238+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty\u0027s ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/pull/11723",
          "url": "https://github.com/jetty/jetty.project/pull/11723"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
        }
      ],
      "release_date": "2024-10-14T15:09:37.861000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
    },
    {
      "cve": "CVE-2024-8285",
      "cwe": {
        "id": "CWE-297",
        "name": "Improper Validation of Certificate with Host Mismatch"
      },
      "discovery_date": "2024-08-29T22:39:10.882000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2308606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server\u0027s hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kroxylicious: Missing upstream Kafka TLS hostname verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat have considered this vulnerability as a \u0027Moderate\u0027 severity given the complexity and the permission level required to perform a successful attacker.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "RHBZ#2308606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8285",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-8285"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8285"
        }
      ],
      "release_date": "2024-08-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kroxylicious: Missing upstream Kafka TLS hostname verification"
    },
    {
      "cve": "CVE-2024-9823",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-14T16:01:06.545771+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2318565"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "RHBZ#2318565",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318565"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-9823",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/issues/1256",
          "url": "https://github.com/jetty/jetty.project/issues/1256"
        },
        {
          "category": "external",
          "summary": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h",
          "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
        }
      ],
      "release_date": "2024-10-14T15:03:02.293000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter"
    },
    {
      "cve": "CVE-2024-29025",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-04-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2272907"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty-codec-http: Allocation of Resources Without Limits or Throttling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "RHBZ#2272907",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272907"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29025",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3",
          "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c",
          "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812",
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812"
        }
      ],
      "release_date": "2024-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty-codec-http: Allocation of Resources Without Limits or Throttling"
    },
    {
      "cve": "CVE-2024-47554",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-10-03T12:00:40.921058+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2316271"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Streams for Apache Kafka 2.8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "RHBZ#2316271",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316271"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47554",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1",
          "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1"
        }
      ],
      "release_date": "2024-10-03T11:32:48.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-13T16:21:03+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Streams for Apache Kafka 2.8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:9571"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Streams for Apache Kafka 2.8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…