Chapter 6. Fixed issues

The issues fixed in AMQ Streams 1.8 are shown in the following table. For details of the issues fixed in Kafka 2.8.0, refer to the Kafka 2.8.0 Release Notes.

Issue NumberDescription

ENTMQST-1529

FileStreamSourceConnector stops when using a large file.

ENTMQST-2359

Kafka Bridge does not handle assignment and subscription.

ENTMQST-2453

The kafka-exporter pod restarts for no reason.

ENTMQST-2459

Running Kafka Exporter leads to high CPU usage.

ENTMQST-2511

Fine tune the health checks to stop Kafka Exporter restarting during rolling updates.

ENTMQST-2777

ENTMQST-2777 Custom Bridge labels are not set when the service template is not specified.

ENTMQST-2974

Changing the log level for Kafka Connect connectors only works temporarily.

Table 6.1. Fixed common vulnerabilities and exposures (CVEs)

Issue NumberDescription

ENTMQST-1934

CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender [amq-st-1].

ENTMQST-2613

CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads [amq-st-1].

ENTMQST-2617

CVE-2021-21290 netty: Information disclosure via the local system temporary directory [amq-st-1].

ENTMQST-2647

CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation [amq-st-1].

ENTMQST-2663

CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure [amq-st-1].

ENTMQST-2711

ENTMQST-2711 CVE-2021-21409 netty: Request smuggling via content-length header [amq-st-1].

ENTMQST-2821

CVE-2021-28168 jersey-common: jersey: Local information disclosure via system temporary directory [amq-st-1].

ENTMQST-2867

CVE-2021-29425 commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 [amq-st-1].

ENTMQST-2908

ENTMQST-2908 CVE-2021-28165 jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame [amq-st-1].

ENTMQST-2909

CVE-2021-28164 jetty-server: jetty: Ambiguous paths can access WEB-INF [amq-st-1].

ENTMQST-2910

CVE-2021-28163 jetty-server: jetty: Symlink directory exposes webapp directory contents [amq-st-1].

ENTMQST-2980

CVE-2021-28169 jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory [amq-st-1].

ENTMQST-3023

CVE-2021-34428 jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout [amq-st-1].