Chapter 7. Known issues
This section lists the known issues for AMQ Streams 1.8.
7.1. SMTP appender for log4j
AMQ Streams ships with a potentially vulnerable version of log4j (log4j-1.2.17.redhat-3
). The vulnerability lies with the SMTP appender functionality, which is not used by AMQ Streams in its default configuration.
Table 7.1. CVE issue
Issue Number | Description |
---|---|
CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender [amq-st-1]. |
Workaround
If you are using the SMTP appender, ensure that mail.smtp.ssl.checkserveridentity
is set to true
.
7.2. AMQ Streams Cluster Operator on IPv6 clusters
The AMQ Streams Cluster Operator does not start on Internet Protocol version 6 (IPv6) clusters.
Workaround
There are two workarounds for this issue.
Workaround one: Set the KUBERNETES_MASTER
environment variable
Display the address of the Kubernetes master node of your OpenShift Container Platform cluster:
oc cluster-info Kubernetes master is running at MASTER-ADDRESS # ...
Copy the address of the master node.
List all Operator subscriptions:
oc get subs -n OPERATOR-NAMESPACE
Edit the
Subscription
resource for AMQ Streams:oc edit sub amq-streams -n OPERATOR_NAMESPACE
In
spec.config.env
, add theKUBERNETES_MASTER
environment variable, set to the address of the Kubernetes master node. For example:apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: amq-streams namespace: OPERATOR-NAMESPACE spec: channel: amq-streams-1.8.x installPlanApproval: Automatic name: amq-streams source: mirror-amq-streams sourceNamespace: openshift-marketplace config: env: - name: KUBERNETES_MASTER value: MASTER-ADDRESS
- Save and exit the editor.
Check that the
Subscription
was updated:oc get sub amq-streams -n OPERATOR-NAMESPACE
Check that the Cluster Operator
Deployment
was updated to use the new environment variable:oc get deployment CLUSTER-OPERATOR-DEPLOYMENT-NAME
Workaround two: Disable hostname verification
List all Operator subscriptions:
oc get subs -n OPERATOR-NAMESPACE
Edit the
Subscription
resource for AMQ Streams:oc edit sub amq-streams -n OPERATOR_NAMESPACE
In
spec.config.env
, add theKUBERNETES_DISABLE_HOSTNAME_VERIFICATION
environment variable, set totrue
. For example:apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: amq-streams namespace: OPERATOR-NAMESPACE spec: channel: amq-streams-1.8.x installPlanApproval: Automatic name: amq-streams source: mirror-amq-streams sourceNamespace: openshift-marketplace config: env: - name: KUBERNETES_DISABLE_HOSTNAME_VERIFICATION value: "true"
- Save and exit the editor.
Check that the
Subscription
was updated:oc get sub amq-streams -n OPERATOR-NAMESPACE
Check that the Cluster Operator
Deployment
was updated to use the new environment variable:oc get deployment CLUSTER-OPERATOR-DEPLOYMENT-NAME