AMQ 7 - 7.4.x Resolved Issues

Updated -

The AMQ 7.4.5 release is now available for download from the Customer Support Portal. AMQ 7.4.5 is a patch release for AMQ 7.4.0 and can be applied as a patch to an existing broker instance or can be used to create new broker instances. Note, AMQ 7 patches are cumulative and include fixes from previous patch releases as noted below.

The following issues have been resolved in the AMQ 7.4.5 release:

ID Component Summary
ENTMQBR-3953 [LTS] Wrong formatting Strings in class LoggingResultSet
ENTMQBR-3951 [LTS] [JDBC-STORE] Adding index on txId
ENTMQBR-3950 [LTS] JDBC store query append-to-file not correct for mysql
ENTMQBR-3949 [LTS] DB2 isn't replacing Blob data
ENTMQBR-3869 [LTS] CVE-2015-5183 Hawtio: HTTPOnly and Secure attributes not set on cookies [amq-7]
ENTMQBR-3866 [LTS] different "audit logging message" between openwire & amqp protocol
ENTMQBR-3865 [LTS] Enabling group rebalancing with default / non-zero consumer-window-size can lead to out-of-order message consumption
ENTMQBR-3864 [LTS] Potential deadlock when destroying a queue and depaging concurrently
ENTMQBR-3863 [LTS] Configuration-managed queues are being auto deleted
ENTMQBR-3862 [LTS] LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations
ENTMQBR-3861 [LTS] JDBC XML config can't use custom password codec
ENTMQBR-3860 [LTS] JVM property hawtio.role doesn't parse a role with space and hyphen
ENTMQBR-3859 [LTS] LVQ + non-destructive not deliverying message to existing consumer
ENTMQBR-3858 [LTS] Prometheus shows inconsistent figures in master-slave, shared-store configuration
ENTMQBR-3857 [LTS] Met NPE when trying to export the messages
ENTMQBR-3856 [LTS] Null pointer exception on queue update
ENTMQBR-3855 [LTS] [EAP - postgresql115] java.sql.SQLException: Couldn't access org.postgresql.largeobject.LargeObject
ENTMQBR-3817 [LTS] The createSession() method throws java.lang.NullPointerException
ENTMQBR-3816 [LTS] MDB Durable Subscriber error in AMQ 7
ENTMQBR-3815 [LTS] Activation failure can result in zombie broker
ENTMQBR-3803 [LTS] Backup broker cannot reestablish connection with its master
ENTMQBR-3799 [LTS] AMQ broker creating consumers with destroyed sessions
ENTMQBR-3783 [LTS] page-max-concurrent-io cannot be disabled
ENTMQBR-3728 [LTS] ARTEMIS-2835 - Fix new connection establishment after failure during failover / Adding proper log message to SharedNothingLiveActivation.isNodeIdUsed
ENTMQBR-3725 [LTS] Porting ENTMQBR-3516
ENTMQBR-3138 CVE-2019-9827 hawtio: server side request forgery via initial /proxy/ substring of a URI [amq-7.4.0]



The following issues have been resolved in the AMQ 7.4.4 release:

ID Component Summary
ENTMQBR-2580 [AMQ7, message expiry, auto-delete] auto-created queue may not auto-deleted when message expire
ENTMQBR-3213 Failback does not work master/slave cluster using NFS shared store
ENTMQBR-3275 Regression: Backup doesn't activate after shared store is reconnected
ENTMQBR-3309 NMS / Openwire Client Runs Out of Credits Even though Broker Shows All Messages Acked
ENTMQBR-3381 [ARTEMIS-2665] AMQP Shared Non Durable queues are not being created same as CORE
ENTMQBR-3402 CVE-2020-1953 commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [amq-7.4.0]
ENTMQBR-3428 [AMQ7, AMQP, Openwire] issue consuming amqp message using openwire consumer
ENTMQBR-3431 CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes [amq-7-LTS]
ENTMQBR-3435 [LTS] resetUsers operation stores password in plain text
ENTMQBR-3437 AMQP consumption stalls under during high message throughput
ENTMQBR-3438 OpenWire consumption stalls under during high message throughput
ENTMQBR-3481 [LTS] Incorrect Behavior when verifyHost is Configured on Acceptor
ENTMQBR-3488 resetUsers operation stores password in plain text
ENTMQBR-3489 [LTS] JMX/Jolokia addSecuritySettings - permissions are not processed until broker restart
ENTMQBR-3505 [LTS] AMQ224000: Failure in initialisation: java.lang.IllegalStateException: com.microsoft.sqlserver.jdbc.SQLServerException: The conversion from timestamp to TIMESTAMP is unsupported.
ENTMQBR-3522 CVE-2020-10727 broker: resetUsers operation stores password in plain text [amq-7-LTS]
ENTMQBR-3559 Dont delete auto created queues when FORCE is used for configuration changes
ENTMQBR-3565 [LTS] Openwire Temporary Queues may not work if you change wildcard settings
ENTMQBR-3570 [AMQ 7.2, shared store, scale down] NullPointer exception when slave activates and tries to scale down
ENTMQBR-3572 In jolokia-access.xml, allowing a remote access using FQDN doesn't work.
ENTMQBR-3574 [AMQ7, AMQP, Openwire] issue consuming amqp message using openwire consumer
ENTMQBR-3592 killing (kill -9) AMQ causes tmp space usage to increase - webapp folders are not removed
ENTMQBR-3623 [LTS] io.netty.util.internal.OutOfDirectMemoryError during uncompress
ENTMQBR-3630 human-readable timestamp in hawtio is incorrect
ENTMQBR-3634 OpenWire producerId leak in session state
ENTMQBR-3636 The names returned by AddressControl.getQueueNames() also include remote forward queue
ENTMQBR-3637 Default network pinger command uses -t argument for timeout
ENTMQBR-3638 [AMQ7 Examples] Readme file is missing from all the exmaples
ENTMQBR-3639 [LTS] Broker logs "quorum" messages even when there is no cluster
ENTMQBR-3680 CVE-2018-15756 springframework: DoS Attack via Range Requests [amq-7.3.0]
ENTMQBR-3688 SIGSEGV in libaio when running RHEL 7.8
ENTMQBR-3691 Metrics exporter switches address and queue name
ENTMQBR-3694 Avoid notifications when shutting down on critical IO error
ENTMQBR-3776 CVE-2020-1953 commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [amq-7-LTS]



The following issues have been resolved in the AMQ 7.4.3 release:

ID Component Summary
ENTMQBR-2456 CVE-2018-10899 jolokia-core: jolokia: system-wide CSRF that could lead to Remote Code Execution [amq-7.2.4]
ENTMQBR-2706 ARTEMIS-2176 - Repeating WARN log message "Notified of connection failure" after every xa recovery when read-timeout is configure with a smaller value than default client-failure-check-period (30 seconds)
ENTMQBR-2906 Upgrade Jetty to fix CVEs related to version 9.4.3.v20170317 [amq-7.4.0]
ENTMQBR-2981 CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers [amq-7.4.0]
ENTMQBR-3151 CVE-2019-0222 mqtt-client: activemq: Corrupt MQTT frame can cause broker shutdown [amq-7.4.0]
ENTMQBR-3157 CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions [amq-7.4.0]
ENTMQBR-3158 CVE-2019-10247 jetty: error path information disclosure [amq-7.4.0]
ENTMQBR-3159 Jetty CVEs
ENTMQBR-3226 CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling [amq-7.4.0]
ENTMQBR-3227 LTS: Memory Leak when Opening and Closing AMQP Consumers in the Same Session / Context
ENTMQBR-3243 CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [amq-7.4.0]
ENTMQBR-3244 CVE-2019-20444 netty: HTTP request smuggling [amq-7.4.0]
ENTMQBR-3257 LTS: AMQ119217: Cant write to closed file: {0}
ENTMQBR-3258 [amqp] when receiver client connects without source being set, broker prints NPE
ENTMQBR-3259 CVE-2012-6708 vulnerability in jQuery
ENTMQBR-3260 AMQ Hawtio : Could not retrieve queue list. Wrong MBean selected.
ENTMQBR-3261 AMQ broker does not clean the connection(MQTT) when the connection is broken
ENTMQBR-3263 Improper Quoting in Generated artemis.profile File - Causing Start Failures in Some Environments
ENTMQBR-3264 broker rejects reconnect on broker stop/start
ENTMQBR-3267 Large message's copy may be interfered by other threads
ENTMQBR-3282 server-side AMQP interceptor returns false, but message is still enqueued
ENTMQBR-3344 CVE-2019-9511 jetty: HTTP/2: large amount of data requests leads to denial of service [amq-7.4.0]
ENTMQBR-3345 CVE-2019-9512 jetty: HTTP/2: flood using PING frames results in unbounded memory growth [amq-7.4.0]
ENTMQBR-3347 CVE-2019-9514 jetty: HTTP/2: flood using HEADERS frames results in unbounded memory growth [amq-7.4.0]
ENTMQBR-3348 CVE-2019-9515 jetty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [amq-7.4.0]
ENTMQBR-3349 CVE-2019-9516 jetty: HTTP/2: 0-length headers lead to denial of service [amq-7.4.0]
ENTMQBR-3350 CVE-2019-9517 jetty: HTTP/2: request for large response leads to denial of service [amq-7.4.0]
ENTMQBR-3351 CVE-2019-9518 jetty: HTTP/2: flood using empty frames results in excessive resource consumption [amq-7.4.0]



The following issues have been resolved in the AMQ 7.4.2 release:

ID Component Summary
ENTMQBR-522 Broker running on windows write problems with remove temp files when shutting down
ENTMQBR-2711 ServerSessionImpl cache does not clear names of deleted temporary destinations & there's no limit on producer target cache
ENTMQBR-2777 Marking a message as changed during expansion could lead to issues during AMQP to Core Conversion.
ENTMQBR-3073 OpenWire session close doesn't cleanup consumer refs
ENTMQBR-3090 Eliminate knownDestinations cache
ENTMQBR-3091 Editing AMQPMessages or Diverts will cause Message Body Loss and its side effects
ENTMQBR-3093 Cancelling pre-fetch buffer will break ordering with AMQP
ENTMQBR-3094 Add option to override InetAddress.isReachable() with purePing()
ENTMQBR-3095 CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0]
ENTMQBR-3097 In multiple scale up/down scenario the broker will have lots of store_and_forward(sf) queues
ENTMQBR-3098 JDBC HA shared store does not take credentials from the jdbc-user and jdbc-password tags
ENTMQBR-3099 [AMQ7, openwire, nullpointer] Errors occurred during the buffering operation : java.lang.NullPointerException
ENTMQBR-3100 [AMQ 7.4, KQUEUE] Unable to check KQueue availability : java.lang.NoClassDefFoundError: io/netty/channel/kqueue/KQueue
ENTMQBR-3101 [artemis-jms-client] if connecting to a list, and if a node is off, initialConnectAttempts=-1 would retry forever once it tried a dead node
ENTMQBR-3102 java.lang.NullPointerException with message replication
ENTMQBR-3107 java.lang.OutOfMemoryError: Direct buffer memory
ENTMQBR-3108 [AMQ7, large messages] LargeMessage doesn't make a full copy of its props
ENTMQBR-3109 DuplicateIDCacheImpl leak
ENTMQBR-3111 AMQ broker does not clean the connection(MQTT) when the connection is broken
ENTMQBR-3112 [AMQ7, purge message, OutOfMemoryException] with a large queue size, removeAllMessages() takes a long time and eventually results in an OOM exception (if enough messages on the queue)
ENTMQBR-3113 Remote JMX server on slave shuts down during failback
ENTMQBR-3114 Qpid JMS client doesn't recover after a complete outage
ENTMQBR-3115 Messages greater than 50kb does not appear on the Hawtio AMQ browser
ENTMQBR-3116 Remove unsupported examples shipped with AMQ 7.3
ENTMQBR-3119 Attribute group-name ignored in replicated colocated configurations
ENTMQBR-3122 CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0]
ENTMQBR-3123 Duplicate amqp messages over cluster
ENTMQBR-3125 Artemis responds with disposition Rejected if queue is full
ENTMQBR-3129 AMQ7 template yaml missing quotes



The following issues have been resolved in the AMQ 7.4.1 release:

ID Component Summary
ENTMQBR-2470 [AMQ7, openwire,redelivery] redelivery counter for message increasing, if consumer is closed without consuming any messages
ENTMQBR-2593 broker does not set message ID header on cross protocol consumption
ENTMQBR-2612 Consumer command, clientID is not saved during JMS exception
ENTMQBR-2624 HornetQ client issue while using JMSMessageID as selector
ENTMQBR-2631 Resource adapter getter should return wrapped objects and not primitive
ENTMQBR-2640 max-saved-replicated-journals-size=0 throws ArrayIndexOutOfBoundsException
ENTMQBR-2676 Negative Message Count and Delivering Count with camel-amqp client
ENTMQBR-2702 Broker unresponsive when many consumers have delayed and negative acknowledgement on the same address
ENTMQBR-2708 The subscribed topic is removed if reconnecting to messaging system with legacy-connection-factory
ENTMQBR-2719 Lost messages in scenario with a remote MDB and a long GC pause.
ENTMQBR-2720 Connection Timeout now blocks on the retry, it should be asynchronous
ENTMQBR-2730 Page Loss scenarios