Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 1.4.0 serves as a replacement for Red Hat AMQ Streams 1.3.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)
netty: HTTP request smuggling (CVE-2019-20444)
jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942)
jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943)
jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531)
jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)
kafka: Connect REST API exposes plaintext secrets in tasks endpoint (CVE-2019-12399)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.