RHSA-2020:0939: Important: Red Hat AMQ Streams 1.4.0 release and security update

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat AMQ Streams 1.4.0 serves as a replacement for Red Hat AMQ Streams 1.3.0, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.Security Fix(es): netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) netty: HTTP request smuggling (CVE-2019-20444) jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330) kafka: Connect REST API exposes plaintext secrets in tasks endpoint (CVE-2019-12399) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.