Chapter 7. Known issues

This section lists the known issues for AMQ Streams 1.8.

7.1. SMTP appender for log4j

AMQ Streams ships with a potentially vulnerable version of log4j (log4j-1.2.17.redhat-3). The vulnerability lies with the SMTP appender functionality, which is not used by AMQ Streams in its default configuration.

Table 7.1. CVE issue

Issue NumberDescription

ENTMQST-1934

CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender [amq-st-1].

Workaround

If you are using the SMTP appender, ensure that mail.smtp.ssl.checkserveridentity is set to true.

7.2. AMQ Streams Cluster Operator on IPv6 clusters

The AMQ Streams Cluster Operator does not start on Internet Protocol version 6 (IPv6) clusters.

Workaround

There are two workarounds for this issue.

Workaround one: Set the KUBERNETES_MASTER environment variable

  1. Display the address of the Kubernetes master node of your OpenShift Container Platform cluster: 

    oc cluster-info
Kubernetes master is running at MASTER-ADDRESS
# ...

    Copy the address of the master node.

  2. List all Operator subscriptions: 

    oc get subs -n OPERATOR-NAMESPACE

  3. Edit the Subscription resource for AMQ Streams: 

    oc edit sub amq-streams -n OPERATOR_NAMESPACE

  4. In spec.config.env, add the KUBERNETES_MASTER environment variable, set to the address of the Kubernetes master node. For example: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: amq-streams
  namespace: OPERATOR-NAMESPACE
spec:
  channel: amq-streams-1.8.x
  installPlanApproval: Automatic
  name: amq-streams
  source: mirror-amq-streams
  sourceNamespace: openshift-marketplace
  config:
    env:
    - name: KUBERNETES_MASTER
      value: MASTER-ADDRESS
  5. Save and exit the editor.

  6. Check that the Subscription was updated: 

    oc get sub amq-streams -n OPERATOR-NAMESPACE

  7. Check that the Cluster Operator Deployment was updated to use the new environment variable: 

    oc get deployment CLUSTER-OPERATOR-DEPLOYMENT-NAME

Workaround two: Disable hostname verification

  1. List all Operator subscriptions: 

    oc get subs -n OPERATOR-NAMESPACE

  2. Edit the Subscription resource for AMQ Streams: 

    oc edit sub amq-streams -n OPERATOR_NAMESPACE

  3. In spec.config.env, add the KUBERNETES_DISABLE_HOSTNAME_VERIFICATION environment variable, set to true. For example: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: amq-streams
  namespace: OPERATOR-NAMESPACE
spec:
  channel: amq-streams-1.8.x
  installPlanApproval: Automatic
  name: amq-streams
  source: mirror-amq-streams
  sourceNamespace: openshift-marketplace
  config:
    env:
    - name: KUBERNETES_DISABLE_HOSTNAME_VERIFICATION
      value: "true"
  4. Save and exit the editor.

  5. Check that the Subscription was updated: 

    oc get sub amq-streams -n OPERATOR-NAMESPACE

  6. Check that the Cluster Operator Deployment was updated to use the new environment variable: 

    oc get deployment CLUSTER-OPERATOR-DEPLOYMENT-NAME