Chapter 5. Fixed issues
The following sections list the issues fixed in AMQ Streams 1.8.x. Red Hat recommends that you upgrade to the latest patch release
For details of the issues fixed in Kafka 2.8.0, refer to the Kafka 2.8.0 Release Notes.
5.1. Fixed issues for AMQ Streams 1.8.4
The AMQ Streams 1.8.4 patch release is now available.
For additional details about the issues resolved in AMQ Streams 1.8.4, see AMQ Streams 1.8.x Resolved Issues.
Log4j2 vulnerability
The 1.8.4 release fixes a remote code execution vulnerability for AMQ Streams components that use log4j2. The vulnerability could allow a remote code execution on the server if the system logs a string value from an unauthorized source. This affects log4j versions between 2.0 and 2.14.1.
For more information, see CVE-2021-44228.
5.2. Fixed issues for AMQ Streams 1.8.0
Issue Number | Description |
---|---|
The | |
Running Kafka Exporter leads to high CPU usage. | |
Fine tune the health checks to stop Kafka Exporter restarting during rolling updates. | |
File Source Connector stops in the case of a large file. |
Issue Number | Title | Description |
---|---|---|
CVE-2021-34428 jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout. | A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity. | |
CVE-2021-28169 jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. | - | |
CVE-2021-21409 netty: Request smuggling via content-length header. | A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity. | |
CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure. | A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability. In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. | |
CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation. |
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by | |
CVE-2021-21290 netty: Information disclosure via the local system temporary directory. | In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty’s multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. | |
CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads. | A flaw was found in libthrift. Applications using Thrift would not show an error upon receiving messages declaring containers of sizes larger than the payload. This results in malicious RPC clients with the ability to send short messages which would result in a large memory allocation, potentially leading to denial of service. The highest threat from this vulnerability is to system availability. | |
CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender. | - | |
CVE-2021-28163 jetty-server: jetty: Symlink directory exposes webapp directory contents. |
If the | |
CVE-2021-28164 jetty-server: jetty: Ambiguous paths can access WEB-INF. |
In Jetty the default compliance mode allows requests with URIs that contain | |
CVE-2021-28165 jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame. | When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability. | |
CVE-2021-29425 commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6. | - | |
CVE-2021-28168 jersey-common: jersey: Local information disclosure via system temporary directory. | - |