Release Notes: PubSub+ Connector for IBMMQ, Version 2.6.8
Release History for PubSub+ Connector for IBMMQ, Version 2.6.8
October 2024

New Features Introduced in Release 2.6.8 and Earlier Releases

This section lists the new features introduced in the PubSub+ Connector for IBMMQ for release 2.6.8 and earlier releases.
Name Description Introduced in Version
Connector Framework/Binder Performance Improvements
Messages are now processed in batches, with transactions possible on the consumer side, producer side, or both. Refer to the documentation for the benefits and tradeoffs of batching and transactions. Note that the default batch size is 255, and that the {{solace.connector.process}} and {{solace.connector.error.process}} metrics now apply to batches instead of individual messages. To get metrics on individual messages you can use the {{solace.connector.publish.ack}} metric.
2.6.0
Migrate Connectors Framework and connectors update to Springboot to 3.3
Migrate to Latest Connector Framework Using Spring Boot 3.3 Release
2.6.0
Support for Durable Topic Endpoints and Selectors in Solace binder
Support in the Solace source binder for consuming from a Durable Topic Endpoint (in addition to queues). Also added support for selectors on both Queues and Durable Topic Endpoints.
2.6.0
SCSt binder: Add support for NACK
Added support (internal) for NACK handling of messages not processed due to error. This is a breaking change regarding supported PubSub+ broker versions. The connectors now require a 10.2.1+ broker version to operate.
2.3.0

Issues Resolved in Release 2.6.8 and Earlier Releases

This section lists the history of resolved issues in the PubSub+ Connector for IBMMQ for release 2.6.8 and earlier releases.
Reference Number Description Resolved in Version
DATAGO-78357
JMS consumer bindings no longer map {{jms_destination}} and {{jms_replyTo}} headers. As a result, these headers are no longer accessible for use in transform-header expressions. If your configuration includes default workflow transform-header expressions that nullify these headers, you can now remove those expressions.
2.6.4
DATAGO-71738
StreamMessages are not supported by this version of the connector due to an issue within the Spring Framework. Solace is working with Spring to address this issue and will reinstate StreamMessage support in a future release. Attempted processing of StreamMessages will result in an “UnsupportedOperationException” in the connector.
2.4.3

Changed Functionality in Release 2.6.8 and Earlier Releases

This section lists the history of changed functionality in the PubSub+ Connector for IBMMQ for release 2.6.8 and earlier releases.
Reference Number Description Introduced in Version
DATAGO-86506
Upgrade connector to JCSMP library version to 10.25.0
2.6.8
DATAGO-84696
Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine (sha256:31c3cc1b2b02ae43a3af8a34b0d4a20208818355b68f3112933f9e8fa5be9a3b). Fixes expat and openssl vulnerabilities.
2.6.8
DATAGO-83539
Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine.
2.6.4
DATAGO-82916
Upgrade connector to JCSMP library version to 10.24.1
2.6.4
DATAGO-79393
The Solace binder now supports OAuth authorization to the Solace broker. Add several configuration properties to allow for a Credentials Grant from the configured IDP.
2.6.0
DATAGO-75127
Secure connections to IBM MQ can now be configured via Spring’s SSL Bundles. SSL Bundles are a new way of defining SSL properties in Spring configuration. More information is available in Spring documentation: [Securing Spring Boot Applications With SSL|https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl]
2.3.0
DATAGO-77045
Upgrade connector base image to Eclipse Temurin 17.0.11_9-jre-alpine.
2.3.0

Vulnerabilities Addressed in Release 2.6.8 and Earlier Releases

The following vulnerabilities have been resolved in the PubSub+ Connector for IBMMQ for release 2.6.8 and earlier releases.
Resolved in Version Severity (CVSS v3 Score) Vulnerability ID Solace Reference Number Affected Products Description
2.6.8 CVSS v3: 7.5 spring-webmvc-6.1.12.jar DATAGO-84986 JAR
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
2.6.8 CVSS v3: 7.5 (HIGH) DATAGO-85256 Image
### Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. ### Severity [CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness. ### Remediation and Mit
2.6.4 CVSS v3: 6.5 spring-security-config-6.3.1.jar DATAGO-83112 JAR
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
2.6.4 CVSS v3: 6.5 spring-web-6.1.11.jar DATAGO-82871 JAR
Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.
2.6.4 CVSS v3: 5.5 (MEDIUM) DATAGO-78433 JAR
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
2.6.0 CVSS v3: 5.5 tomcat-embed-core-10.1.24.jar DATAGO-79942 JAR
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
2.6.0 CVSS v3: 7.5 (HIGH) DATAGO-79942 Image
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
2.3.0 CVSS v3: 5.9 bcprov-jdk18on-1.77.jar DATAGO-75569 JAR
BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).
2.3.0 CVSS v3: 5.3 (MODERATE) DATAGO-76734 Image
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
2.3.0 CVSS v3: 5.5 (MEDIUM) DATAGO-74149 JAR
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
2.3.0 CVSS v3: 8.2 spring-security-core-6.2.2.jar DATAGO-76734 JAR
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
2.3.0 CVSS v3: 7.5 (HIGH) DATAGO-73977 JAR
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
2.1.7 CVSS v3: 8.1 spring-web-6.1.5.jar DATAGO-75012 JAR
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Known Issues in Release 2.6.8 and Earlier Releases

This section describes known issues in the PubSub+ Connector for IBMMQ for release 2.6.8 and earlier releases.

None
For more details, refer to the Release Notes page for the individual Solace Messaging APIs.