Chapter 6. Fixed issues

The following sections list the issues fixed in AMQ Streams 2.5.x. Red Hat recommends that you upgrade to the latest patch release.

For details of the issues fixed in Kafka 3.5.0, refer to the Kafka 3.5.0 Release Notes.

6.1. Fixed issues for AMQ Streams 2.5.1

The AMQ Streams 2.5.1 patch release (Long Term Support) is now available.

KAFKA-15353

The 2.5.1 patch release includes a fix for KAFKA-15353, an issue that was included in the Kafka 3.5.2 release. Note that the patch release introduced a fix for this specific issue, not all issues fixed for Kafka 3.5.2.

For more information on the issue, see the Kafka 3.5.2 Release Notes.

HTTP/2 DoS vulnerability (CVE-2023-44487)

The release addresses CVE-2023-44487, a critical Denial of Service (DoS) vulnerability in the HTTP/2 protocol. The vulnerability stems from mishandling multiplexed streams, allowing a malicious client to repeatedly request new streams and promptly cancel them using an RST_STREAM frame. By doing so, the attacker forces the server to expend resources setting up and tearing down streams without reaching the server-side limit for active streams per connection. For more information on this vulnerability, see the CVE-2023-44487 page for a description.

For additional details about the issues resolved in AMQ Streams 2.5.1, see AMQ Streams 2.5.x Resolved Issues.

6.2. Fixed issues for AMQ Streams 2.5.0

Table 6.1. Fixed issues

Issue NumberDescription

ENTMQST-3757

[KAFKA] Mirror Maker 2 negative lag

ENTMQST-4496

[BRIDGE] Logged HTTP response status code could be different from the actual one returned to the client

ENTMQST-4707

Make connector task backoff configurable in Kafka Connect

Table 6.2. Fixed common vulnerabilities and exposures (CVEs)

Issue NumberDescription

ENTMQST-4484

snakeyaml: Constructor Deserialization Remote Code Execution

ENTMQST-4995

TRIAGE-CVE-2023-34454 snappy-java-repolib: snappy-java: Integer overflow in compress leads to DoS

ENTMQST-4996

TRIAGE-CVE-2023-34454 snappy-java-debuginfo: snappy-java: Integer overflow in compress leads to DoS

ENTMQST-4997

TRIAGE-CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS

ENTMQST-4998

TRIAGE-CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS

ENTMQST-5120

CVE-2023-34462 Flaw in Netty’s SniHandler while navigating TLS handshake; DoS

ENTMQST-5121

CVE-2023-0482 RESTEasy: creation of insecure temp files

ENTMQST-5122

CVE-2022-24823 netty: world readable temporary file containing sensitive data

ENTMQST-5123

CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way

ENTMQST-5124

CVE-2021-37136 netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data

ENTMQST-5125

CVE-2023-3635 DoS of the Okio client when handling a crafted GZIP archive

ENTMQST-5126

CVE-2023-26048 Jetty servlets with multipart support may cause OOM error with client requests

ENTMQST-5127

CVE-2023-26049 Non-standard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies

ENTMQST-5128

CVE-2022-36944 scala: deserialization gadget chain

ENTMQST-5134

TRIAGE-CVE-2023-3635 okio: GzipSource class improper exception handling

ENTMQST-5178

CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()

ENTMQST-5179

CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies