Chapter 6. Fixed issues
The following sections list the issues fixed in AMQ Streams 1.8.x. Red Hat recommends that you upgrade to the latest patch release
For details of the issues fixed in Kafka 2.8.0, refer to the Kafka 2.8.0 Release Notes.
6.1. Fixed issues for AMQ Streams 1.8.4
The AMQ Streams 1.8.4 patch release is now available.
The AMQ Streams product images have been upgraded to version 1.8.4.
For additional details about the issues resolved in AMQ Streams 1.8.4, see AMQ Streams 1.8.x Resolved Issues.
Log4j2 vulnerability
The 1.8.4 release fixes a remote code execution vulnerability for AMQ Streams components that use log4j2. The vulnerability could allow a remote code execution on the server if the system logs a string value from an unauthorized source. This affects log4j versions between 2.0 and 2.14.1.
For more information, see CVE-2021-44228.
6.2. Fixed issues for AMQ Streams 1.8.0
Issue Number | Description |
---|---|
FileStreamSourceConnector stops when using a large file. | |
Kafka Bridge does not handle assignment and subscription. | |
The | |
Running Kafka Exporter leads to high CPU usage. | |
Fine tune the health checks to stop Kafka Exporter restarting during rolling updates. | |
ENTMQST-2777 Custom Bridge labels are not set when the service template is not specified. | |
Changing the log level for Kafka Connect connectors only works temporarily. |
Table 6.1. Fixed common vulnerabilities and exposures (CVEs)
Issue Number | Description |
---|---|
CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender [amq-st-1]. | |
CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads [amq-st-1]. | |
CVE-2021-21290 netty: Information disclosure via the local system temporary directory [amq-st-1]. | |
CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation [amq-st-1]. | |
CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure [amq-st-1]. | |
ENTMQST-2711 CVE-2021-21409 netty: Request smuggling via content-length header [amq-st-1]. | |
CVE-2021-28168 jersey-common: jersey: Local information disclosure via system temporary directory [amq-st-1]. | |
CVE-2021-29425 commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 [amq-st-1]. | |
ENTMQST-2908 CVE-2021-28165 jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame [amq-st-1]. | |
CVE-2021-28164 jetty-server: jetty: Ambiguous paths can access WEB-INF [amq-st-1]. | |
CVE-2021-28163 jetty-server: jetty: Symlink directory exposes webapp directory contents [amq-st-1]. | |
CVE-2021-28169 jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory [amq-st-1]. | |
CVE-2021-34428 jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout [amq-st-1]. |