AMQ 7 - 7.4.x Resolved Issues

Updated -

The AMQ Broker 7.4.6 release is now available for download from the Customer Support Portal. AMQ Broker 7.4.6 is a patch release for AMQ Broker 7.4.0 and can be applied as a patch to an existing broker instance or can be used to create new broker instances. Note, AMQ Broker patches are cumulative and include fixes from previous patch releases as noted below.

The following issues have been resolved in the AMQ 7.4.6 release:

ID Component Summary
ENTMQBR-3707 CVE-2020-13932 mqtt-client: activemq: remote XSS in web console diagram plugin [amq-7.4.0]
ENTMQBR-3923 [LTS] AMQ 7.7 concurrent jolokia operations can incorrectly update artemis-roles.properties or artemis-users.properties
ENTMQBR-3972 [LTS][ARTEMIS-2910] consider routing type annotations during node auto-creation for AMQP anonymous producers
ENTMQBR-4022 [LTS] Temporary Queue Leak With OpenWire Request-Reply Clients
ENTMQBR-4075 [LTS] Addresses that includes temporary queue keep to remain If the broker is shut down
ENTMQBR-4076 [LTS] LegacyLDAPSecuritySettingPlugin ignore group changes
ENTMQBR-4132 [LTS] RA doesn't use the RA specified prefix when setting up a destination
ENTMQBR-4168 [LTS] shared durable subscriptions - unsubscribe() method does not remove the subscriber queue
ENTMQBR-4194 [LTS] Server start exception before activation can cause a zombie broker
ENTMQBR-4318 [LTS] NPE during broker initialization: getCreateDurableQueueRoles
ENTMQBR-4403 [LTS] ARTEMIS-3037 JournalImpl#checkKnownRecordID() implementation can leave a thread hanging in WAITING state
ENTMQBR-4420 [LTS] [ARTEMIS-2927] LVQ broken after restart
ENTMQBR-4421 [LTS] Tests related to ttl messages are failed
ENTMQBR-4422 [LTS] Audit message shows a wrong messages in the log
ENTMQBR-4423 [LTS] Adding Wildcard Subscriptions Can Take Too Long, Resulting in Connections Closures Due to Exceeded KeepAlive
ENTMQBR-4424 CVE-2020-27216 jetty: local temporary directory hijacking vulnerability [amq-7.4.0]
ENTMQBR-4425 [LTS] Deleted scheduled message reappears after AMQ broker restart.
ENTMQBR-4426 [LTS] Inconsistent and negative address size
ENTMQBR-4427 [LTS] destination header replaced for wildcard address during paging
ENTMQBR-4428 [LTS] [ARTEMIS-3004] Repeating WARN log message "Notified of connection failure" after every xa recovery when read-timeout is configure with a smaller value than default client-failure-check-period (30 seconds)
ENTMQBR-4429 [LTS] Leak of HttpAcceptorHandler instances when using websocket connections
ENTMQBR-4430 CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation [amq-7.4.0]
ENTMQBR-4446 [LTS] Inconsistencies between Replication Catchup and PagingStore.stopPaging();



The following issues have been resolved in the AMQ 7.4.5 release:

ID Component Summary
ENTMQBR-3953 [LTS] Wrong formatting Strings in class LoggingResultSet
ENTMQBR-3951 [LTS] [JDBC-STORE] Adding index on txId
ENTMQBR-3950 [LTS] JDBC store query append-to-file not correct for mysql
ENTMQBR-3949 [LTS] DB2 isn't replacing Blob data
ENTMQBR-3916 [LTS] Non-durable subscribers may stop receiving after failover
ENTMQBR-3869 [LTS] CVE-2015-5183 Hawtio: HTTPOnly and Secure attributes not set on cookies [amq-7]
ENTMQBR-3866 [LTS] different "audit logging message" between openwire & amqp protocol
ENTMQBR-3865 [LTS] Enabling group rebalancing with default / non-zero consumer-window-size can lead to out-of-order message consumption
ENTMQBR-3864 [LTS] Potential deadlock when destroying a queue and depaging concurrently
ENTMQBR-3863 [LTS] Configuration-managed queues are being auto deleted
ENTMQBR-3862 [LTS] LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations
ENTMQBR-3861 [LTS] JDBC XML config can't use custom password codec
ENTMQBR-3860 [LTS] JVM property hawtio.role doesn't parse a role with space and hyphen
ENTMQBR-3859 [LTS] LVQ + non-destructive not deliverying message to existing consumer
ENTMQBR-3858 [LTS] Prometheus shows inconsistent figures in master-slave, shared-store configuration
ENTMQBR-3857 [LTS] Met NPE when trying to export the messages
ENTMQBR-3856 [LTS] Null pointer exception on queue update
ENTMQBR-3855 [LTS] [EAP - postgresql115] java.sql.SQLException: Couldn't access org.postgresql.largeobject.LargeObject
ENTMQBR-3817 [LTS] The createSession() method throws java.lang.NullPointerException
ENTMQBR-3816 [LTS] MDB Durable Subscriber error in AMQ 7
ENTMQBR-3815 [LTS] Activation failure can result in zombie broker
ENTMQBR-3803 [LTS] Backup broker cannot reestablish connection with its master
ENTMQBR-3799 [LTS] AMQ broker creating consumers with destroyed sessions
ENTMQBR-3783 [LTS] page-max-concurrent-io cannot be disabled
ENTMQBR-3728 [LTS] ARTEMIS-2835 - Fix new connection establishment after failure during failover / Adding proper log message to SharedNothingLiveActivation.isNodeIdUsed
ENTMQBR-3725 [LTS] Porting ENTMQBR-3516
ENTMQBR-3138 CVE-2019-9827 hawtio: server side request forgery via initial /proxy/ substring of a URI [amq-7.4.0]



The following issues have been resolved in the AMQ 7.4.4 release:

ID Component Summary
ENTMQBR-2580 [AMQ7, message expiry, auto-delete] auto-created queue may not auto-deleted when message expire
ENTMQBR-3213 Failback does not work master/slave cluster using NFS shared store
ENTMQBR-3275 Regression: Backup doesn't activate after shared store is reconnected
ENTMQBR-3309 NMS / Openwire Client Runs Out of Credits Even though Broker Shows All Messages Acked
ENTMQBR-3381 [ARTEMIS-2665] AMQP Shared Non Durable queues are not being created same as CORE
ENTMQBR-3402 CVE-2020-1953 commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [amq-7.4.0]
ENTMQBR-3428 [AMQ7, AMQP, Openwire] issue consuming amqp message using openwire consumer
ENTMQBR-3431 CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes [amq-7-LTS]
ENTMQBR-3435 [LTS] resetUsers operation stores password in plain text
ENTMQBR-3437 AMQP consumption stalls under during high message throughput
ENTMQBR-3438 OpenWire consumption stalls under during high message throughput
ENTMQBR-3481 [LTS] Incorrect Behavior when verifyHost is Configured on Acceptor
ENTMQBR-3488 resetUsers operation stores password in plain text
ENTMQBR-3489 [LTS] JMX/Jolokia addSecuritySettings - permissions are not processed until broker restart
ENTMQBR-3505 [LTS] AMQ224000: Failure in initialisation: java.lang.IllegalStateException: com.microsoft.sqlserver.jdbc.SQLServerException: The conversion from timestamp to TIMESTAMP is unsupported.
ENTMQBR-3522 CVE-2020-10727 broker: resetUsers operation stores password in plain text [amq-7-LTS]
ENTMQBR-3559 Dont delete auto created queues when FORCE is used for configuration changes
ENTMQBR-3565 [LTS] Openwire Temporary Queues may not work if you change wildcard settings
ENTMQBR-3570 [AMQ 7.2, shared store, scale down] NullPointer exception when slave activates and tries to scale down
ENTMQBR-3572 In jolokia-access.xml, allowing a remote access using FQDN doesn't work.
ENTMQBR-3574 [AMQ7, AMQP, Openwire] issue consuming amqp message using openwire consumer
ENTMQBR-3592 killing (kill -9) AMQ causes tmp space usage to increase - webapp folders are not removed
ENTMQBR-3623 [LTS] io.netty.util.internal.OutOfDirectMemoryError during uncompress
ENTMQBR-3630 human-readable timestamp in hawtio is incorrect
ENTMQBR-3634 OpenWire producerId leak in session state
ENTMQBR-3636 The names returned by AddressControl.getQueueNames() also include remote forward queue
ENTMQBR-3637 Default network pinger command uses -t argument for timeout
ENTMQBR-3638 [AMQ7 Examples] Readme file is missing from all the exmaples
ENTMQBR-3639 [LTS] Broker logs "quorum" messages even when there is no cluster
ENTMQBR-3680 CVE-2018-15756 springframework: DoS Attack via Range Requests [amq-7.3.0]
ENTMQBR-3688 SIGSEGV in libaio when running RHEL 7.8
ENTMQBR-3691 Metrics exporter switches address and queue name
ENTMQBR-3694 Avoid notifications when shutting down on critical IO error
ENTMQBR-3776 CVE-2020-1953 commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [amq-7-LTS]



The following issues have been resolved in the AMQ 7.4.3 release:

ID Component Summary
ENTMQBR-2456 CVE-2018-10899 jolokia-core: jolokia: system-wide CSRF that could lead to Remote Code Execution [amq-7.2.4]
ENTMQBR-2706 ARTEMIS-2176 - Repeating WARN log message "Notified of connection failure" after every xa recovery when read-timeout is configure with a smaller value than default client-failure-check-period (30 seconds)
ENTMQBR-2906 Upgrade Jetty to fix CVEs related to version 9.4.3.v20170317 [amq-7.4.0]
ENTMQBR-2981 CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers [amq-7.4.0]
ENTMQBR-3151 CVE-2019-0222 mqtt-client: activemq: Corrupt MQTT frame can cause broker shutdown [amq-7.4.0]
ENTMQBR-3157 CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions [amq-7.4.0]
ENTMQBR-3158 CVE-2019-10247 jetty: error path information disclosure [amq-7.4.0]
ENTMQBR-3159 Jetty CVEs
ENTMQBR-3226 CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling [amq-7.4.0]
ENTMQBR-3227 LTS: Memory Leak when Opening and Closing AMQP Consumers in the Same Session / Context
ENTMQBR-3243 CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [amq-7.4.0]
ENTMQBR-3244 CVE-2019-20444 netty: HTTP request smuggling [amq-7.4.0]
ENTMQBR-3257 LTS: AMQ119217: Cant write to closed file: {0}
ENTMQBR-3258 [amqp] when receiver client connects without source being set, broker prints NPE
ENTMQBR-3259 CVE-2012-6708 vulnerability in jQuery
ENTMQBR-3260 AMQ Hawtio : Could not retrieve queue list. Wrong MBean selected.
ENTMQBR-3261 AMQ broker does not clean the connection(MQTT) when the connection is broken
ENTMQBR-3263 Improper Quoting in Generated artemis.profile File - Causing Start Failures in Some Environments
ENTMQBR-3264 broker rejects reconnect on broker stop/start
ENTMQBR-3267 Large message's copy may be interfered by other threads
ENTMQBR-3282 server-side AMQP interceptor returns false, but message is still enqueued
ENTMQBR-3344 CVE-2019-9511 jetty: HTTP/2: large amount of data requests leads to denial of service [amq-7.4.0]
ENTMQBR-3345 CVE-2019-9512 jetty: HTTP/2: flood using PING frames results in unbounded memory growth [amq-7.4.0]
ENTMQBR-3347 CVE-2019-9514 jetty: HTTP/2: flood using HEADERS frames results in unbounded memory growth [amq-7.4.0]
ENTMQBR-3348 CVE-2019-9515 jetty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [amq-7.4.0]
ENTMQBR-3349 CVE-2019-9516 jetty: HTTP/2: 0-length headers lead to denial of service [amq-7.4.0]
ENTMQBR-3350 CVE-2019-9517 jetty: HTTP/2: request for large response leads to denial of service [amq-7.4.0]
ENTMQBR-3351 CVE-2019-9518 jetty: HTTP/2: flood using empty frames results in excessive resource consumption [amq-7.4.0]



The following issues have been resolved in the AMQ 7.4.2 release:

ID Component Summary
ENTMQBR-522 Broker running on windows write problems with remove temp files when shutting down
ENTMQBR-2711 ServerSessionImpl cache does not clear names of deleted temporary destinations & there's no limit on producer target cache
ENTMQBR-2777 Marking a message as changed during expansion could lead to issues during AMQP to Core Conversion.
ENTMQBR-3073 OpenWire session close doesn't cleanup consumer refs
ENTMQBR-3090 Eliminate knownDestinations cache
ENTMQBR-3091 Editing AMQPMessages or Diverts will cause Message Body Loss and its side effects
ENTMQBR-3093 Cancelling pre-fetch buffer will break ordering with AMQP
ENTMQBR-3094 Add option to override InetAddress.isReachable() with purePing()
ENTMQBR-3095 CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0]
ENTMQBR-3097 In multiple scale up/down scenario the broker will have lots of store_and_forward(sf) queues
ENTMQBR-3098 JDBC HA shared store does not take credentials from the jdbc-user and jdbc-password tags
ENTMQBR-3099 [AMQ7, openwire, nullpointer] Errors occurred during the buffering operation : java.lang.NullPointerException
ENTMQBR-3100 [AMQ 7.4, KQUEUE] Unable to check KQueue availability : java.lang.NoClassDefFoundError: io/netty/channel/kqueue/KQueue
ENTMQBR-3101 [artemis-jms-client] if connecting to a list, and if a node is off, initialConnectAttempts=-1 would retry forever once it tried a dead node
ENTMQBR-3102 java.lang.NullPointerException with message replication
ENTMQBR-3107 java.lang.OutOfMemoryError: Direct buffer memory
ENTMQBR-3108 [AMQ7, large messages] LargeMessage doesn't make a full copy of its props
ENTMQBR-3109 DuplicateIDCacheImpl leak
ENTMQBR-3111 AMQ broker does not clean the connection(MQTT) when the connection is broken
ENTMQBR-3112 [AMQ7, purge message, OutOfMemoryException] with a large queue size, removeAllMessages() takes a long time and eventually results in an OOM exception (if enough messages on the queue)
ENTMQBR-3113 Remote JMX server on slave shuts down during failback
ENTMQBR-3114 Qpid JMS client doesn't recover after a complete outage
ENTMQBR-3115 Messages greater than 50kb does not appear on the Hawtio AMQ browser
ENTMQBR-3116 Remove unsupported examples shipped with AMQ 7.3
ENTMQBR-3119 Attribute group-name ignored in replicated colocated configurations
ENTMQBR-3122 CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0]
ENTMQBR-3123 Duplicate amqp messages over cluster
ENTMQBR-3125 Artemis responds with disposition Rejected if queue is full
ENTMQBR-3129 AMQ7 template yaml missing quotes



The following issues have been resolved in the AMQ 7.4.1 release:

ID Component Summary
ENTMQBR-2470 [AMQ7, openwire,redelivery] redelivery counter for message increasing, if consumer is closed without consuming any messages
ENTMQBR-2593 broker does not set message ID header on cross protocol consumption
ENTMQBR-2612 Consumer command, clientID is not saved during JMS exception
ENTMQBR-2624 HornetQ client issue while using JMSMessageID as selector
ENTMQBR-2631 Resource adapter getter should return wrapped objects and not primitive
ENTMQBR-2640 max-saved-replicated-journals-size=0 throws ArrayIndexOutOfBoundsException
ENTMQBR-2676 Negative Message Count and Delivering Count with camel-amqp client
ENTMQBR-2702 Broker unresponsive when many consumers have delayed and negative acknowledgement on the same address
ENTMQBR-2708 The subscribed topic is removed if reconnecting to messaging system with legacy-connection-factory
ENTMQBR-2719 Lost messages in scenario with a remote MDB and a long GC pause.
ENTMQBR-2720 Connection Timeout now blocks on the retry, it should be asynchronous
ENTMQBR-2730 Page Loss scenarios