Red Hat Amq Streams
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Amq Streams.
Recent Red Hat Amq Streams Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2024:6536 | (RHSA-2024:6536) Moderate: Red Hat AMQ Streams 2.5.2 release and security update | September 10, 2024 |
| RHSA-2024:3527 | (RHSA-2024:3527) Moderate: Red Hat AMQ Streams 2.7.0 release and security update | May 30, 2024 |
| RHSA-2023:7678 | (RHSA-2023:7678) Important: Red Hat AMQ Streams 2.6.0 release and security update | December 6, 2023 |
| RHSA-2023:6030 | (RHSA-2023:6030) Important: Red Hat AMQ Streams 2.2.2 release and security update | October 23, 2023 |
| RHSA-2023:5973 | (RHSA-2023:5973) Important: Red Hat AMQ Streams 2.5.1 release and security update | October 20, 2023 |
| RHSA-2023:5165 | (RHSA-2023:5165) Important: Red Hat AMQ Streams 2.5.0 release and security update | September 14, 2023 |
| RHSA-2023:3223 | (RHSA-2023:3223) Important: Red Hat AMQ Streams 2.4.0 release and security update | May 18, 2023 |
| RHSA-2023:1241 | (RHSA-2023:1241) Moderate: Red Hat AMQ Streams 2.2.1 release and security update | March 14, 2023 |
| RHSA-2023:0189 | (RHSA-2023:0189) Moderate: Red Hat AMQ Streams 2.3.0 release and security update | January 17, 2023 |
| RHSA-2022:6819 | (RHSA-2022:6819) Important: Red Hat AMQ Streams 2.2.0 release and security update | October 5, 2022 |
By the Year
In 2026 there have been 1 vulnerability in Red Hat Amq Streams with an average score of 7.5 out of ten. Last year, in 2025 Amq Streams had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Amq Streams in 2026 could surpass last years number. Interestingly, the average vulnerability score and the number of vulnerabilities for 2026 and last year was the same.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.50 |
| 2025 | 2 | 7.50 |
| 2024 | 9 | 6.54 |
It may take a day or so for new Amq Streams vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Amq Streams Security Vulnerabilities
Undertow OOM via large servlet param names
CVE-2024-4027
7.5 - High
- January 30, 2026
A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.
Improper Input Validation
Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884
7.5 - High
- December 03, 2025
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.
Improper Input Validation
Memory Leak in Quarkus RESTEasy Extension (CVE-2025-1634)
CVE-2025-1634
7.5 - High
- February 26, 2025
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
Memory Leak
Quarkus-HTTP Cookie Parsing Vulnerability
CVE-2024-12397
7.4 - High
- December 12, 2024
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
HTTP Request Smuggling
Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355
6.5 - Medium
- October 01, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Use of Uninitialized Variable
Kroxylicious TLS Hostname Verification Bypass
CVE-2024-8285
5.9 - Medium
- August 30, 2024
A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.
Improper Validation of Certificate with Host Mismatch
Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653
5.3 - Medium
- July 08, 2024
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Memory Leak
Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249
7.4 - High
- April 17, 2024
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Origin Validation Error
Quarkus Core Env Var Leakage in Build
CVE-2024-2700
7 - High
- April 04, 2024
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
Exposure of Sensitive Information Through Environmental Variables
Memory Leak in Eclipse Vert.x TCP TLS Server via Fake SNI
CVE-2024-1300
5.4 - Medium
- April 02, 2024
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Memory Leak
Vert.x HTTP Client Memory Leak via Netty FastThreadLocal
CVE-2024-1023
6.5 - Medium
- March 27, 2024
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
Memory Leak
Undertow WriteTimeoutStreamSinkConduit Causing Memory/File Exhaustion
CVE-2024-1635
7.5 - High
- February 19, 2024
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Amq Streams or by Red Hat? Click the Watch button to subscribe.
