Chapter 6. Fixed issues

The following sections list the issues fixed in AMQ Streams 2.5.x. Red Hat recommends that you upgrade to the latest patch release.

For details of the issues fixed in Kafka 3.5.0, refer to the Kafka 3.5.0 Release Notes.

6.1. Fixed issues for AMQ Streams 2.5.1

The AMQ Streams 2.5.1 patch release (Long Term Support) is now available.


The 2.5.1 patch release includes a fix for KAFKA-15353, an issue that was included in the Kafka 3.5.2 release. Note that the patch release introduced a fix for this specific issue, not all issues fixed for Kafka 3.5.2.

For more information on the issue, see the Kafka 3.5.2 Release Notes.

HTTP/2 DoS vulnerability (CVE-2023-44487)

The release addresses CVE-2023-44487, a critical Denial of Service (DoS) vulnerability in the HTTP/2 protocol. The vulnerability stems from mishandling multiplexed streams, allowing a malicious client to repeatedly request new streams and promptly cancel them using an RST_STREAM frame. By doing so, the attacker forces the server to expend resources setting up and tearing down streams without reaching the server-side limit for active streams per connection. For more information on this vulnerability, see the CVE-2023-44487 page for a description.

For additional details about the issues resolved in AMQ Streams 2.5.1, see AMQ Streams 2.5.x Resolved Issues.

6.2. Fixed issues for AMQ Streams 2.5.0

Table 6.1. Fixed issues

Issue NumberDescription


[KAFKA] Mirror Maker 2 negative lag


[BRIDGE] Logged HTTP response status code could be different from the actual one returned to the client


Make connector task backoff configurable in Kafka Connect

Table 6.2. Fixed common vulnerabilities and exposures (CVEs)

Issue NumberDescription


snakeyaml: Constructor Deserialization Remote Code Execution


TRIAGE-CVE-2023-34454 snappy-java-repolib: snappy-java: Integer overflow in compress leads to DoS


TRIAGE-CVE-2023-34454 snappy-java-debuginfo: snappy-java: Integer overflow in compress leads to DoS


TRIAGE-CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS


TRIAGE-CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS


CVE-2023-34462 Flaw in Netty’s SniHandler while navigating TLS handshake; DoS


CVE-2023-0482 RESTEasy: creation of insecure temp files


CVE-2022-24823 netty: world readable temporary file containing sensitive data


CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way


CVE-2021-37136 netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data


CVE-2023-3635 DoS of the Okio client when handling a crafted GZIP archive


CVE-2023-26048 Jetty servlets with multipart support may cause OOM error with client requests


CVE-2023-26049 Non-standard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies


CVE-2022-36944 scala: deserialization gadget chain


TRIAGE-CVE-2023-3635 okio: GzipSource class improper exception handling


CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()


CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies