AMQ Streams 1.6.x Resolved Issues
The AMQ Streams 1.6.7 release is now available for download from the Customer Portal and Red Hat Container Catalog. AMQ Streams 1.6.7 is a patch release for AMQ Streams 1.6.0. Note, AMQ Streams patches are cumulative and include fixes from previous patch releases as noted below.
The following issues have been resolved in the AMQ Streams 1.6.7 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-3626 | CVE-2021-44832 log4j-core: remote code execution via JDBC Appender [amq-st-1] (AMQ Streams 1.6) | |
| ENTMQST-3627 | CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method [amq-st-1] | |
| ENTMQST-3680 | CVE-2022-23307 log4j: A deserialization flaw could lead to malicious code execution [amq-st-1] => 1.6.7 | |
| ENTMQST-3683 | CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [amq-st-1] - AMq Streams 1.6.x | |
| ENTMQST-3684 | CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [amq-st-1] - AMQ Streams 1.6.x |
The following issues have been resolved in the AMQ Streams 1.6.6 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-3312 | CVE-2021-38153 kafka-clients: Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients [amq-st-1] | |
| ENTMQST-3313 | CVE-2021-38153 kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients [amq-st-1] | |
| ENTMQST-3588 | CVE-2021-45105 log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern [amq-st-1] |
The following issues have been resolved in the AMQ Streams 1.6.5 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-3530 | CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value. [amq-st-1] |
The following issues have been resolved in the AMQ Streams 1.6.4* release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-2642 | [LTS] Deadlock in Kafka Connect | |
| ENTMQST-2785 | CVE-2021-28163 jetty-server: jetty: Symlink directory exposes webapp directory contents [amq-st-1] | |
| ENTMQST-2787 | CVE-2021-28164 jetty-server: jetty: Ambiguous paths can access WEB-INF [amq-st-1] | |
| ENTMQST-2786 | CVE-2021-28165 jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame [amq-st-1] |
AMQ Streams 1.6.4 is based on Apache Kafka 2.6.2, in addition to the above fixes please see the upstream release notes for a full list of issues resolved in this release.
The following issues have been resolved in the AMQ Streams 1.6.3* release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-2629 | Respin AMQ Streams images in response to RHSA :69500 |
The following issues have been resolved in the AMQ Streams 1.6.2* release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-2414 | Comparing String with Map in KafkaConnectApiImpl in Connect logging configuration | |
| ENTMQST-2440 | Missing CRB RBAC will break Kafka Connect even when not needed | |
| ENTMQST-2450 | Connect default logging not expanded | |
| ENTMQST-2509 | Avoid changing custom resource status because of HashSet ordering | |
| ENTMQST-2510 | Remove owner referneces from ClusterRoleBindings | |
| ENTMQST-2511 | Fine-tune the Kafka Exporter health checks | |
| ENTMQST-2512 | Topic operator bug-fixes |
The following issues have been resolved in the AMQ Streams 1.6.1* release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-2479 | Update to AMQ Streams images to fix openssl CVE-2020-1971 |
* Denotes the release is only applicable to deployments on OpenShift.
Comments