5.4.3 Release Notes

Security Fix for CVE-2024-13009 – Request body data leakage via Jetty GzipHandler in Jetty server library: Resolved CVE-2024-13009, a high-severity vulnerability in org.eclipse.jetty:jetty-server where GzipHandler may incorrectly release buffers on gzip inflate errors, potentially causing parts of a request body to be exposed to subsequent requests.

Security Fix for CVE-2025-24970 – Native crash via Netty SslHandler input validation: Resolved CVE-2025-24970, a high-severity vulnerability in io.netty:netty-handler where SslHandler may not correctly validate specially crafted packets when using the native SSLEngine, leading to a potential native process crash.

Security Fix for CVE-2025-27817 – Arbitrary file read and SSRF via Kafka OAUTHBEARER endpoints in kafka-clients: Resolved CVE-2025-27817, a moderate vulnerability in org.apache.kafka:kafka-clients where untrusted configuration of sasl.oauthbearer.token.endpoint.url or sasl.oauthbearer.jwks.endpoint.url could enable arbitrary file read via error logs and server-side request forgery.

Security Fix for CVE-2025-27818 – Deserialization of untrusted data via SASL JAAS login modules in Apache Kafka/Connect: Resolved CVE-2025-27818, a high-severity issue in org.apache.kafka:kafka where an authenticated operator could set sasl.jaas.config to com.sun.security.auth.module.LdapLoginModule, triggering LDAP-based deserialization that may enable Remote Code Execution.

Security Fix for CVE-2025-46701 – Security constraint bypass via CGI servlet pathInfo case handling in Apache Tomcat: Resolved CVE-2025-46701, a low-severity issue where improper case-sensitivity handling in the CGI servlet could allow bypass of security constraints applied to the pathInfo component.

Security Fix for CVE-2025-48988 – Denial of service via multipart upload in Apache Tomcat: Resolved CVE-2025-48988, a high-severity issue where unrestricted resource allocation during multipart upload handling could enable a denial of service.

Security Fix for CVE-2025-49124 – Untrusted search path in Apache Tomcat Windows installer: Resolved CVE-2025-49124, a high-severity issue where the Windows installer invoked icacls.exe without a fully qualified path, enabling potential DLL or binary hijacking during installation.

Security Fix for PRISMA-2023-0067 – Denial of service via uncontrolled resource consumption in Jackson: Resolved PRISMA-2023-0067, a high-severity issue where com.fasterxml.jackson.core:jackson-core did not properly restrict resource usage, enabling potential DoS through uncontrolled resource consumption.

Fixed handling of expired entries when depopulating global indexes: Resolved an issue where expired entries were skipped during the cleanup of global indexes on migration source nodes. This caused query threads to encounter dangling pointers in the index, leading to JVM crashes. The fix ensures that expired entries are included when depopulating global indexes, preventing such crashes and improving system stability.

Fixed Kafka Connector Compatibility: Resolved an issue where some connectors were incompatible with Kafka Connect Runtime > 3.9.0 due to missing kafka-clients utilities. This caused connector failures during runtime. The fix ensures that the kafka-clients dependency is included, restoring compatibility for affected connectors.