Messages are now processed in batches, with transactions possible on the consumer side, producer side, or both. Refer to the documentation for the benefits and tradeoffs of batching and transactions. Note that the default batch size is 255, and that the {{solace.connector.process}} and {{solace.connector.error.process}} metrics now apply to batches instead of individual messages. To get metrics on individual messages you can use the {{solace.connector.publish.ack}} metric.

Migrate to Latest Connector Framework Using Spring Boot 3.3 Release

Support in the Solace source binder for consuming from a Durable Topic Endpoint (in addition to queues). Also added support for selectors on both Queues and Durable Topic Endpoints.

Added support (internal) for NACK handling of messages not processed due to error. This is a breaking change regarding supported PubSub+ broker versions. The connectors now require a 10.2.1+ broker version to operate.

JMS consumer bindings no longer map {{jms_destination}} and {{jms_replyTo}} headers. As a result, these headers are no longer accessible for use in transform-header expressions. If your configuration includes default workflow transform-header expressions that nullify these headers, you can now remove those expressions.

StreamMessages are not supported by this version of the connector due to an issue within the Spring Framework. Solace is working with Spring to address this issue and will reinstate StreamMessage support in a future release. Attempted processing of StreamMessages will result in an “UnsupportedOperationException” in the connector.

Upgrade connector to JCSMP library version to 10.25.0

Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine (sha256:31c3cc1b2b02ae43a3af8a34b0d4a20208818355b68f3112933f9e8fa5be9a3b). Fixes expat and openssl vulnerabilities.

Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine.

Upgrade connector to JCSMP library version to 10.24.1

The Solace binder now supports OAuth authorization to the Solace broker. Add several configuration properties to allow for a Credentials Grant from the configured IDP.

Secure connections to IBM MQ can now be configured via Spring’s SSL Bundles. SSL Bundles are a new way of defining SSL properties in Spring configuration. More information is available in Spring documentation: [Securing Spring Boot Applications With SSL|https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl]

Upgrade connector base image to Eclipse Temurin 17.0.11_9-jre-alpine.

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

### Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. ### Severity [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness. ### Remediation and Mit

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.

A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.