Red Hat SummitChapter 7. Fixed issues
The following sections list the issues fixed in AMQ Streams 2.5.x. Red Hat recommends that you upgrade to the latest patch release.
The AMQ Streams 2.5.x release supports Kafka 3.5.0. For details of the issues fixed in Kafka 3.5.0, refer to the Kafka 3.5.0 Release Notes.
7.1. Fixed issues for AMQ Streams 2.5.2
AMQ Streams 2.5.2 (Long Term Support) is the latest patch release. The patch release incorporates Kafka 3.5.2 updates.
For details of the issues fixed in Kafka 3.5.1 and 3.5.2, refer to the Kafka 3.5.1 and Kafka 3.5.2 Release Notes.
For additional details about the issues resolved in AMQ Streams 2.5.2, see AMQ Streams 2.5.x Resolved Issues.
7.2. Fixed issues for AMQ Streams 2.5.1
KAFKA-15353
The 2.5.1 patch release includes a fix for KAFKA-15353, an issue that was included in the Kafka 3.5.2 release. Note that the patch release introduced a fix for this specific issue, not all issues fixed for Kafka 3.5.2.
For more information on the issue, see the Kafka 3.5.2 Release Notes.
HTTP/2 DoS vulnerability (CVE-2023-44487)
The release addresses CVE-2023-44487, a critical Denial of Service (DoS) vulnerability in the HTTP/2 protocol. The vulnerability stems from mishandling multiplexed streams, allowing a malicious client to repeatedly request new streams and promptly cancel them using an RST_STREAM frame. By doing so, the attacker forces the server to expend resources setting up and tearing down streams without reaching the server-side limit for active streams per connection. For more information on this vulnerability, see the CVE-2023-44487 page for a description.
For additional details about the issues resolved in AMQ Streams 2.5.1, see AMQ Streams 2.5.x Resolved Issues.
7.3. Fixed issues for AMQ Streams 2.5.0
| Issue Number | Description |
|---|---|
| [KAFKA] Mirror Maker 2 negative lag | |
| [BRIDGE] Logged HTTP response status code could be different from the actual one returned to the client | |
| Make connector task backoff configurable in Kafka Connect |
| Issue Number | Description |
|---|---|
| snakeyaml: Constructor Deserialization Remote Code Execution | |
| TRIAGE-CVE-2023-34454 snappy-java-repolib: snappy-java: Integer overflow in compress leads to DoS | |
| TRIAGE-CVE-2023-34454 snappy-java-debuginfo: snappy-java: Integer overflow in compress leads to DoS | |
| TRIAGE-CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS | |
| TRIAGE-CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS | |
| CVE-2023-34462 Flaw in Netty’s SniHandler while navigating TLS handshake; DoS | |
| CVE-2023-0482 RESTEasy: creation of insecure temp files | |
| CVE-2022-24823 netty: world readable temporary file containing sensitive data | |
| CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way | |
| CVE-2021-37136 netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data | |
| CVE-2023-3635 DoS of the Okio client when handling a crafted GZIP archive | |
| CVE-2023-26048 Jetty servlets with multipart support may cause OOM error with client requests | |
| CVE-2023-26049 Non-standard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies | |
| CVE-2022-36944 scala: deserialization gadget chain | |
| TRIAGE-CVE-2023-3635 okio: GzipSource class improper exception handling | |
| CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() | |
| CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies |
