The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff




====================================================================
Red Hat Security Advisory

Synopsis:           Moderate: Streams for Apache Kafka 2.8.0 release and security update
Advisory ID:        RHSA-2024:9571-03
Product:            Streams for Apache Kafka
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:9571
Issue date:         2024-11-13
Revision:           03
CVE Names:          CVE-2024-7254
====================================================================

Summary: 

Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.




Description:

Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.

This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat
AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.

Security Fix(es):
* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] 
\"(CVE-2024-8184)\"

* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"

* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"

* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"

\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"

* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"


Solution:

https://access.redhat.com/articles/11258



CVEs:

CVE-2024-7254

References:

https://access.redhat.com/security/updates/classification/#moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2272907
https://bugzilla.redhat.com/show_bug.cgi?id=2308606
https://bugzilla.redhat.com/show_bug.cgi?id=2313454
https://bugzilla.redhat.com/show_bug.cgi?id=2316271
https://bugzilla.redhat.com/show_bug.cgi?id=2318564
https://bugzilla.redhat.com/show_bug.cgi?id=2318565
https://issues.redhat.com/browse/ASUI-91
https://issues.redhat.com/browse/ENTMQST-2632
https://issues.redhat.com/browse/ENTMQST-3288
https://issues.redhat.com/browse/ENTMQST-4019
https://issues.redhat.com/browse/ENTMQST-5199
https://issues.redhat.com/browse/ENTMQST-5669
https://issues.redhat.com/browse/ENTMQST-5674
https://issues.redhat.com/browse/ENTMQST-5740
https://issues.redhat.com/browse/ENTMQST-5789
https://issues.redhat.com/browse/ENTMQST-5843
https://issues.redhat.com/browse/ENTMQST-5850
https://issues.redhat.com/browse/ENTMQST-5863
https://issues.redhat.com/browse/ENTMQST-5865
https://issues.redhat.com/browse/ENTMQST-5915
https://issues.redhat.com/browse/ENTMQST-6028
https://issues.redhat.com/browse/ENTMQST-6032
https://issues.redhat.com/browse/ENTMQST-6129
https://issues.redhat.com/browse/ENTMQST-6183
https://issues.redhat.com/browse/ENTMQST-6205
https://issues.redhat.com/browse/ENTMQST-6225
https://issues.redhat.com/browse/ENTMQST-6341
https://issues.redhat.com/browse/ENTMQST-6421
https://issues.redhat.com/browse/ENTMQST-6422
https://issues.redhat.com/browse/ENTMQSTPR-43