AMQ Streams 2.2.x Resolved Issues
Updated -
The AMQ Streams 2.2.2 release is now available for download from the Customer Portal and Red Hat Container Catalog. AMQ Streams 2.2.2 is a patch release for AMQ Streams 2.2.0. Note, AMQ Streams patches are cumulative and include fixes from previous patch releases as noted below.
The following issues have been resolved in the AMQ Streams 2.2.2 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-5373 | [Major Incident] CVE-2023-44487 netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [amq-st-2] |
The following issues have been resolved in the AMQ Streams 2.2.1 release:
| ID | Component | Summary |
|---|---|---|
| ENTMQST-4728 | [KAFKA] MM2 connector task stopped and didn’t result in failed state | |
| ENTMQST-4766 | [amq-st-2.2] CVE-2023-25194 - POSSIBLE RCE/DENIAL OF SERVICE ATTACK VIA SASL JAAS JNDI LOGIN MODULE CONFIGURATION USING KAFKA CONNECT | |
| ENTMQST-4691 | [amq-st-2.2] CVE-2023-0833 okhttp: Red Hat A-MQ Streams: component version with information disclosure flaw | |
| ENTMQST-4282 | [PROD] Missing sources for Kubernetes client 5.12.0 related artifacts | |
| ENTMQST-4785 | [amq-st-2.2] CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS | |
| ENTMQST-4787 | [amq-st-2.2] CVE-2022-42004 jackson-databind: use of deeply nested arrays | |
| ENTMQST-4788 | [amq-st-2.4] CVE-2022-42004 jackson-databind: use of deeply nested arrays | |
| ENTMQST-4791 | [amq-st-2.2] CVE-2022-36944 Scala 2.13.x before 2.13.9 has a Java deserialization risk via a gadget chain | |
| ENTMQST-4790 | [amq-st-2.2] CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode | |
| ENTMQST-4789 | [amq-st-2.2] CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow | |
| ENTMQST-4794 | [amq-st-2.2] CVE-2023-25194: Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration using Kafka Connect | |
| ENTMQST-4792 | [amq-st-2.2] CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson | |
| ENTMQST-4793 | [amq-st-2.2] CVE-2022-2047 jetty-http: improver hostname input handling |
Comments