AMQ 7 - 7.4.x Resolved Issues
Updated -
The AMQ Broker 7.4.6 release is now available for download from the Customer Support Portal. AMQ Broker 7.4.6 is a patch release for AMQ Broker 7.4.0 and can be applied as a patch to an existing broker instance or can be used to create new broker instances. Note, AMQ Broker patches are cumulative and include fixes from previous patch releases as noted below.
The following issues have been resolved in the AMQ 7.4.6 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQBR-3707 | CVE-2020-13932 mqtt-client: activemq: remote XSS in web console diagram plugin [amq-7.4.0] | |
| ENTMQBR-3923 | [LTS] AMQ 7.7 concurrent jolokia operations can incorrectly update artemis-roles.properties or artemis-users.properties | |
| ENTMQBR-3972 | [LTS][ARTEMIS-2910] consider routing type annotations during node auto-creation for AMQP anonymous producers | |
| ENTMQBR-4022 | [LTS] Temporary Queue Leak With OpenWire Request-Reply Clients | |
| ENTMQBR-4075 | [LTS] Addresses that includes temporary queue keep to remain If the broker is shut down | |
| ENTMQBR-4076 | [LTS] LegacyLDAPSecuritySettingPlugin ignore group changes | |
| ENTMQBR-4132 | [LTS] RA doesn't use the RA specified prefix when setting up a destination | |
| ENTMQBR-4168 | [LTS] shared durable subscriptions - unsubscribe() method does not remove the subscriber queue | |
| ENTMQBR-4194 | [LTS] Server start exception before activation can cause a zombie broker | |
| ENTMQBR-4318 | [LTS] NPE during broker initialization: getCreateDurableQueueRoles | |
| ENTMQBR-4403 | [LTS] ARTEMIS-3037 JournalImpl#checkKnownRecordID() implementation can leave a thread hanging in WAITING state | |
| ENTMQBR-4420 | [LTS] [ARTEMIS-2927] LVQ broken after restart | |
| ENTMQBR-4421 | [LTS] Tests related to ttl messages are failed | |
| ENTMQBR-4422 | [LTS] Audit message shows a wrong messages in the log | |
| ENTMQBR-4423 | [LTS] Adding Wildcard Subscriptions Can Take Too Long, Resulting in Connections Closures Due to Exceeded KeepAlive | |
| ENTMQBR-4424 | CVE-2020-27216 jetty: local temporary directory hijacking vulnerability [amq-7.4.0] | |
| ENTMQBR-4425 | [LTS] Deleted scheduled message reappears after AMQ broker restart. | |
| ENTMQBR-4426 | [LTS] Inconsistent and negative address size | |
| ENTMQBR-4427 | [LTS] destination header replaced for wildcard address during paging | |
| ENTMQBR-4428 | [LTS] [ARTEMIS-3004] Repeating WARN log message "Notified of connection failure" after every xa recovery when read-timeout is configure with a smaller value than default client-failure-check-period (30 seconds) | |
| ENTMQBR-4429 | [LTS] Leak of HttpAcceptorHandler instances when using websocket connections | |
| ENTMQBR-4430 | CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation [amq-7.4.0] | |
| ENTMQBR-4446 | [LTS] Inconsistencies between Replication Catchup and PagingStore.stopPaging(); |
The following issues have been resolved in the AMQ 7.4.5 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQBR-3953 | [LTS] Wrong formatting Strings in class LoggingResultSet | |
| ENTMQBR-3951 | [LTS] [JDBC-STORE] Adding index on txId | |
| ENTMQBR-3950 | [LTS] JDBC store query append-to-file not correct for mysql | |
| ENTMQBR-3949 | [LTS] DB2 isn't replacing Blob data | |
| ENTMQBR-3916 | [LTS] Non-durable subscribers may stop receiving after failover | |
| ENTMQBR-3869 | [LTS] CVE-2015-5183 Hawtio: HTTPOnly and Secure attributes not set on cookies [amq-7] | |
| ENTMQBR-3866 | [LTS] different "audit logging message" between openwire & amqp protocol | |
| ENTMQBR-3865 | [LTS] Enabling group rebalancing with default / non-zero consumer-window-size can lead to out-of-order message consumption | |
| ENTMQBR-3864 | [LTS] Potential deadlock when destroying a queue and depaging concurrently | |
| ENTMQBR-3863 | [LTS] Configuration-managed queues are being auto deleted | |
| ENTMQBR-3862 | [LTS] LegacyLDAPSecuritySettingPlugin allows new user to access any newly created destinations | |
| ENTMQBR-3861 | [LTS] JDBC XML config can't use custom password codec | |
| ENTMQBR-3860 | [LTS] JVM property hawtio.role doesn't parse a role with space and hyphen | |
| ENTMQBR-3859 | [LTS] LVQ + non-destructive not deliverying message to existing consumer | |
| ENTMQBR-3858 | [LTS] Prometheus shows inconsistent figures in master-slave, shared-store configuration | |
| ENTMQBR-3857 | [LTS] Met NPE when trying to export the messages | |
| ENTMQBR-3856 | [LTS] Null pointer exception on queue update | |
| ENTMQBR-3855 | [LTS] [EAP - postgresql115] java.sql.SQLException: Couldn't access org.postgresql.largeobject.LargeObject | |
| ENTMQBR-3817 | [LTS] The createSession() method throws java.lang.NullPointerException | |
| ENTMQBR-3816 | [LTS] MDB Durable Subscriber error in AMQ 7 | |
| ENTMQBR-3815 | [LTS] Activation failure can result in zombie broker | |
| ENTMQBR-3803 | [LTS] Backup broker cannot reestablish connection with its master | |
| ENTMQBR-3799 | [LTS] AMQ broker creating consumers with destroyed sessions | |
| ENTMQBR-3783 | [LTS] page-max-concurrent-io cannot be disabled | |
| ENTMQBR-3728 | [LTS] ARTEMIS-2835 - Fix new connection establishment after failure during failover / Adding proper log message to SharedNothingLiveActivation.isNodeIdUsed | |
| ENTMQBR-3725 | [LTS] Porting ENTMQBR-3516 | |
| ENTMQBR-3138 | CVE-2019-9827 hawtio: server side request forgery via initial /proxy/ substring of a URI [amq-7.4.0] |
The following issues have been resolved in the AMQ 7.4.4 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQBR-2580 | [AMQ7, message expiry, auto-delete] auto-created queue may not auto-deleted when message expire | |
| ENTMQBR-3213 | Failback does not work master/slave cluster using NFS shared store | |
| ENTMQBR-3275 | Regression: Backup doesn't activate after shared store is reconnected | |
| ENTMQBR-3309 | NMS / Openwire Client Runs Out of Credits Even though Broker Shows All Messages Acked | |
| ENTMQBR-3381 | [ARTEMIS-2665] AMQP Shared Non Durable queues are not being created same as CORE | |
| ENTMQBR-3402 | CVE-2020-1953 commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [amq-7.4.0] | |
| ENTMQBR-3428 | [AMQ7, AMQP, Openwire] issue consuming amqp message using openwire consumer | |
| ENTMQBR-3431 | CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes [amq-7-LTS] | |
| ENTMQBR-3435 | [LTS] resetUsers operation stores password in plain text | |
| ENTMQBR-3437 | AMQP consumption stalls under during high message throughput | |
| ENTMQBR-3438 | OpenWire consumption stalls under during high message throughput | |
| ENTMQBR-3481 | [LTS] Incorrect Behavior when verifyHost is Configured on Acceptor | |
| ENTMQBR-3488 | resetUsers operation stores password in plain text | |
| ENTMQBR-3489 | [LTS] JMX/Jolokia addSecuritySettings - permissions are not processed until broker restart | |
| ENTMQBR-3505 | [LTS] AMQ224000: Failure in initialisation: java.lang.IllegalStateException: com.microsoft.sqlserver.jdbc.SQLServerException: The conversion from timestamp to TIMESTAMP is unsupported. | |
| ENTMQBR-3522 | CVE-2020-10727 broker: resetUsers operation stores password in plain text [amq-7-LTS] | |
| ENTMQBR-3559 | Dont delete auto created queues when FORCE is used for configuration changes | |
| ENTMQBR-3565 | [LTS] Openwire Temporary Queues may not work if you change wildcard settings | |
| ENTMQBR-3570 | [AMQ 7.2, shared store, scale down] NullPointer exception when slave activates and tries to scale down | |
| ENTMQBR-3572 | In jolokia-access.xml, allowing a remote access using FQDN doesn't work. | |
| ENTMQBR-3574 | [AMQ7, AMQP, Openwire] issue consuming amqp message using openwire consumer | |
| ENTMQBR-3592 | killing (kill -9) AMQ causes tmp space usage to increase - webapp folders are not removed | |
| ENTMQBR-3623 | [LTS] io.netty.util.internal.OutOfDirectMemoryError during uncompress | |
| ENTMQBR-3630 | human-readable timestamp in hawtio is incorrect | |
| ENTMQBR-3634 | OpenWire producerId leak in session state | |
| ENTMQBR-3636 | The names returned by AddressControl.getQueueNames() also include remote forward queue | |
| ENTMQBR-3637 | Default network pinger command uses -t argument for timeout | |
| ENTMQBR-3638 | [AMQ7 Examples] Readme file is missing from all the exmaples | |
| ENTMQBR-3639 | [LTS] Broker logs "quorum" messages even when there is no cluster | |
| ENTMQBR-3680 | CVE-2018-15756 springframework: DoS Attack via Range Requests [amq-7.3.0] | |
| ENTMQBR-3688 | SIGSEGV in libaio when running RHEL 7.8 | |
| ENTMQBR-3691 | Metrics exporter switches address and queue name | |
| ENTMQBR-3694 | Avoid notifications when shutting down on critical IO error | |
| ENTMQBR-3776 | CVE-2020-1953 commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [amq-7-LTS] |
The following issues have been resolved in the AMQ 7.4.3 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQBR-2456 | CVE-2018-10899 jolokia-core: jolokia: system-wide CSRF that could lead to Remote Code Execution [amq-7.2.4] | |
| ENTMQBR-2706 | ARTEMIS-2176 - Repeating WARN log message "Notified of connection failure" after every xa recovery when read-timeout is configure with a smaller value than default client-failure-check-period (30 seconds) | |
| ENTMQBR-2906 | Upgrade Jetty to fix CVEs related to version 9.4.3.v20170317 [amq-7.4.0] | |
| ENTMQBR-2981 | CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers [amq-7.4.0] | |
| ENTMQBR-3151 | CVE-2019-0222 mqtt-client: activemq: Corrupt MQTT frame can cause broker shutdown [amq-7.4.0] | |
| ENTMQBR-3157 | CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions [amq-7.4.0] | |
| ENTMQBR-3158 | CVE-2019-10247 jetty: error path information disclosure [amq-7.4.0] | |
| ENTMQBR-3159 | Jetty CVEs | |
| ENTMQBR-3226 | CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling [amq-7.4.0] | |
| ENTMQBR-3227 | LTS: Memory Leak when Opening and Closing AMQP Consumers in the Same Session / Context | |
| ENTMQBR-3243 | CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [amq-7.4.0] | |
| ENTMQBR-3244 | CVE-2019-20444 netty: HTTP request smuggling [amq-7.4.0] | |
| ENTMQBR-3257 | LTS: AMQ119217: Cant write to closed file: {0} | |
| ENTMQBR-3258 | [amqp] when receiver client connects without source being set, broker prints NPE | |
| ENTMQBR-3259 | CVE-2012-6708 vulnerability in jQuery | |
| ENTMQBR-3260 | AMQ Hawtio : Could not retrieve queue list. Wrong MBean selected. | |
| ENTMQBR-3261 | AMQ broker does not clean the connection(MQTT) when the connection is broken | |
| ENTMQBR-3263 | Improper Quoting in Generated artemis.profile File - Causing Start Failures in Some Environments | |
| ENTMQBR-3264 | broker rejects reconnect on broker stop/start | |
| ENTMQBR-3267 | Large message's copy may be interfered by other threads | |
| ENTMQBR-3282 | server-side AMQP interceptor returns false, but message is still enqueued | |
| ENTMQBR-3344 | CVE-2019-9511 jetty: HTTP/2: large amount of data requests leads to denial of service [amq-7.4.0] | |
| ENTMQBR-3345 | CVE-2019-9512 jetty: HTTP/2: flood using PING frames results in unbounded memory growth [amq-7.4.0] | |
| ENTMQBR-3347 | CVE-2019-9514 jetty: HTTP/2: flood using HEADERS frames results in unbounded memory growth [amq-7.4.0] | |
| ENTMQBR-3348 | CVE-2019-9515 jetty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [amq-7.4.0] | |
| ENTMQBR-3349 | CVE-2019-9516 jetty: HTTP/2: 0-length headers lead to denial of service [amq-7.4.0] | |
| ENTMQBR-3350 | CVE-2019-9517 jetty: HTTP/2: request for large response leads to denial of service [amq-7.4.0] | |
| ENTMQBR-3351 | CVE-2019-9518 jetty: HTTP/2: flood using empty frames results in excessive resource consumption [amq-7.4.0] |
The following issues have been resolved in the AMQ 7.4.2 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQBR-522 | Broker running on windows write problems with remove temp files when shutting down | |
| ENTMQBR-2711 | ServerSessionImpl cache does not clear names of deleted temporary destinations & there's no limit on producer target cache | |
| ENTMQBR-2777 | Marking a message as changed during expansion could lead to issues during AMQP to Core Conversion. | |
| ENTMQBR-3073 | OpenWire session close doesn't cleanup consumer refs | |
| ENTMQBR-3090 | Eliminate knownDestinations cache | |
| ENTMQBR-3091 | Editing AMQPMessages or Diverts will cause Message Body Loss and its side effects | |
| ENTMQBR-3093 | Cancelling pre-fetch buffer will break ordering with AMQP | |
| ENTMQBR-3094 | Add option to override InetAddress.isReachable() with purePing() | |
| ENTMQBR-3095 | CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0] | |
| ENTMQBR-3097 | In multiple scale up/down scenario the broker will have lots of store_and_forward(sf) queues | |
| ENTMQBR-3098 | JDBC HA shared store does not take credentials from the jdbc-user and jdbc-password tags | |
| ENTMQBR-3099 | [AMQ7, openwire, nullpointer] Errors occurred during the buffering operation : java.lang.NullPointerException | |
| ENTMQBR-3100 | [AMQ 7.4, KQUEUE] Unable to check KQueue availability : java.lang.NoClassDefFoundError: io/netty/channel/kqueue/KQueue | |
| ENTMQBR-3101 | [artemis-jms-client] if connecting to a list, and if a node is off, initialConnectAttempts=-1 would retry forever once it tried a dead node | |
| ENTMQBR-3102 | java.lang.NullPointerException with message replication | |
| ENTMQBR-3107 | java.lang.OutOfMemoryError: Direct buffer memory | |
| ENTMQBR-3108 | [AMQ7, large messages] LargeMessage doesn't make a full copy of its props | |
| ENTMQBR-3109 | DuplicateIDCacheImpl leak | |
| ENTMQBR-3111 | AMQ broker does not clean the connection(MQTT) when the connection is broken | |
| ENTMQBR-3112 | [AMQ7, purge message, OutOfMemoryException] with a large queue size, removeAllMessages() takes a long time and eventually results in an OOM exception (if enough messages on the queue) | |
| ENTMQBR-3113 | Remote JMX server on slave shuts down during failback | |
| ENTMQBR-3114 | Qpid JMS client doesn't recover after a complete outage | |
| ENTMQBR-3115 | Messages greater than 50kb does not appear on the Hawtio AMQ browser | |
| ENTMQBR-3116 | Remove unsupported examples shipped with AMQ 7.3 | |
| ENTMQBR-3119 | Attribute group-name ignored in replicated colocated configurations | |
| ENTMQBR-3122 | CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters [amq-7.4.0] | |
| ENTMQBR-3123 | Duplicate amqp messages over cluster | |
| ENTMQBR-3125 | Artemis responds with disposition Rejected if queue is full | |
| ENTMQBR-3129 | AMQ7 template yaml missing quotes |
The following issues have been resolved in the AMQ 7.4.1 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQBR-2470 | [AMQ7, openwire,redelivery] redelivery counter for message increasing, if consumer is closed without consuming any messages | |
| ENTMQBR-2593 | broker does not set message ID header on cross protocol consumption | |
| ENTMQBR-2612 | Consumer command, clientID is not saved during JMS exception | |
| ENTMQBR-2624 | HornetQ client issue while using JMSMessageID as selector | |
| ENTMQBR-2631 | Resource adapter getter should return wrapped objects and not primitive | |
| ENTMQBR-2640 | max-saved-replicated-journals-size=0 throws ArrayIndexOutOfBoundsException | |
| ENTMQBR-2676 | Negative Message Count and Delivering Count with camel-amqp client | |
| ENTMQBR-2702 | Broker unresponsive when many consumers have delayed and negative acknowledgement on the same address | |
| ENTMQBR-2708 | The subscribed topic is removed if reconnecting to messaging system with legacy-connection-factory | |
| ENTMQBR-2719 | Lost messages in scenario with a remote MDB and a long GC pause. | |
| ENTMQBR-2720 | Connection Timeout now blocks on the retry, it should be asynchronous | |
| ENTMQBR-2730 | Page Loss scenarios |
Comments