Release History for PubSub+ Connector for JMS, Version 2.7.5
May 2025
This section lists the new features introduced in the PubSub+ Connector for JMS for
release 2.7.5 and earlier releases.
| Name | Description | Introduced in Version |
|---|---|---|
| Connector Framework - per message payload identification and field-level transformations |
A new configuration section and capabilities around transforming source headers and payload to desired mappings on the target headers and payload has been added. The mappings are expressed in the connector configuration using an expression language based on Spring Expression Language (SpEL).
This release supports JSON payloads only. Future releases will add other content formats such as XML. If your source and target payload is not JSON, you cannot map or transform the payload and it is passed through as is. However, you can still do header transforms and smart topic dynamic producer destinations. This is a new capability and is not compatible with the "transform-headers" and "transform-payload" sections of the configuration available prior to this release. The "transform-headers" and "transform-payload" sections continue to work but are now deprecated and will be removed in a future release. Existing connector configurations that rely on the legacy transform sections should not use the new transform capabilities. The legacy and new transform sections cannot be used together. |
2.7.0 |
| Migrate Connectors Framework and connectors update to Springboot to 3.3 |
Migrate to Latest Connector Framework Using Spring Boot 3.3 Release
|
2.4.0 |
| Support for Durable Topic Endpoints and Selectors in Solace binder |
Support in the Solace source binder for consuming from a Durable Topic Endpoint (in addition to queues). Also added support for selectors on both Queues and Durable Topic Endpoints.
|
2.4.0 |
| Connector Framework/Binder Performance Improvements |
Messages are now processed in batches, with transactions possible on the consumer side, producer side, or both. Refer to the documentation for the benefits and tradeoffs of batching and transactions. Note that the default batch size is 255, and that the {{solace.connector.process}} and {{solace.connector.error.process}} metrics now apply to batches instead of individual messages. To get metrics on individual messages you can use the {{solace.connector.publish.ack}} metric.
|
2.4.0 |
| SCSt binder: Add support for NACK |
Added support (internal) for NACK handling of messages not processed due to error. This is a breaking change regarding supported PubSub+ broker versions. The connectors now require a 10.2.1+ broker version to operate.
|
2.1.2 |
This section lists the history of resolved issues in the PubSub+ Connector for JMS for
release 2.7.5 and earlier releases.
| Reference Number | Description | Resolved in Version |
|---|---|---|
| DATAGO-69335 |
Fixed the issue in reading user property having value of type byte[] or ByteArray while mapping Solace Consumer message to Spring message.
|
2.4.8 |
| DATAGO-78357 |
JMS consumer bindings no longer map {{jms_destination}} and {{jms_replyTo}} headers. As a result, these headers are no longer accessible for use in transform-header expressions. If your configuration includes default workflow transform-header expressions that nullify these headers, you can now remove those expressions.
|
2.4.3 |
| DATAGO-71738 |
StreamMessages are not supported by this version of the connector due to an issue within the Spring Framework. Solace is working with Spring to address this issue and will reinstate StreamMessage support in a future release. Attempted processing of StreamMessages will result in an “UnsupportedOperationException” in the connector.
|
2.2.1 |
This section lists the history of changed functionality in the PubSub+ Connector for JMS
for release 2.7.5 and earlier releases.
| Reference Number | Description | Introduced in Version |
|---|---|---|
| DATAGO-99525 |
Upgrade connector to JCSMP 10.27.0
|
2.7.5 |
| DATAGO-99526 |
Upgrade connector to Solace Spring Cloud 4.8.0
|
2.7.5 |
| DATAGO-99796 |
Upgrade connector to Spring Boot 3.4.5
|
2.7.5 |
| DATAGO-99793 |
Upgrade connector base image to Eclipse Temurin 17.0.15_6-jre-alpine (sha256:b10e4fda9d71b3819a91fbb0dbb28512edbb37a45f6af2a301c780223bb42fb8).
|
2.7.5 |
| DATAGO-97477 |
Upgrade connector to Spring Cloud 2024.0.1
|
2.7.2 |
| DATAGO-97166 |
Upgrade connector to JCSMP 10.26.0
|
2.7.2 |
| DATAGO-97529 |
Upgrade connector to Spring Boot 3.4.4
|
2.7.2 |
| DATAGO-97063 |
Upgrade connector to Spring Boot Admin 3.4.5
|
2.7.2 |
| DATAGO-95206 |
Upgrade connector to Spring Boot Admin 3.4.2
|
2.7.0 |
| DATAGO-95698 |
Upgrade connector to Spring Boot 3.4.3
|
2.7.0 |
| DATAGO-95501 |
Upgrade connector base image to Eclipse Temurin 17.0.14_7-jre-alpine (sha256:865cca6d0b31f284a5fc4e8cbd8f9375f470fd07cf6e909cea62f2790d4187fe).
|
2.7.0 |
| DATAGO-93220 |
Upgrade connector to Solace Spring Cloud 4.7.0
|
2.6.2 |
| DATAGO-92733 |
Upgrade connector to JCSMP 10.25.2
|
2.6.2 |
| DATAGO-93240 |
Upgrade connector to Spring Boot 3.4.2
|
2.6.2 |
| DATAGO-93224 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:8164ba7f332faf27462e055013c2aa518a2eba1ce6984e9ca60dadb899cab6bd).
|
2.6.2 |
| DATAGO-89778 |
Upgrade connector to Spring Boot 3.4.1 and Spring Cloud 2024.0.0
|
2.6.2 |
| DATAGO-92283 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:04ea31625d7771f3272bdc533a2871c00a8268f1a6774528b2a7389515f7b5b1).
|
2.5.2 |
| DATAGO-91311 |
Upgrade connector to Spring Boot 3.3.7
|
2.5.1 |
| DATAGO-90429 |
jms_destination is now exposed as a message header of type jakarta.jms.Destination, enabling its use in header transformation expressions |
2.5.0 |
| DATAGO-89279 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:fcf70ae7ba37872c7d1da875593321c3e90bd9a02c6b4bfde5a1260b08b8f178).
|
2.4.8 |
| DATAGO-89976 |
Upgrade connector to Spring Cloud 2023.0.4
|
2.4.8 |
| DATAGO-89278 |
Upgrade connector to Spring Boot 3.3.6
|
2.4.8 |
| DATAGO-87477 |
Upgrade connector to Spring Boot 3.3.5
|
2.4.7 |
| DATAGO-87054 |
Upgrade connector to JCSMP library version to 10.25.1
|
2.4.7 |
| DATAGO-87474 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:148f1c965d9314fc1207b7719f0eec35a374ad2ccfb8200268b5ac17a25e05fd).
|
2.4.7 |
| DATAGO-86506 |
Upgrade connector to JCSMP library version to 10.25.0
|
2.4.6 |
| DATAGO-84696 |
Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine (sha256:31c3cc1b2b02ae43a3af8a34b0d4a20208818355b68f3112933f9e8fa5be9a3b). Fixes expat and openssl vulnerabilities.
|
2.4.6 |
| DATAGO-82916 |
Upgrade connector to JCSMP library version to 10.24.1
|
2.4.3 |
| DATAGO-83539 |
Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine.
|
2.4.3 |
| DATAGO-79393 |
The Solace binder now supports OAuth authorization to the Solace broker. Add several configuration properties to allow for a Credentials Grant from the configured IDP.
|
2.4.0 |
| DATAGO-77045 |
Upgrade connector base image to Eclipse Temurin 17.0.11_9-jre-alpine.
|
2.1.2 |
The following vulnerabilities have been resolved in the PubSub+ Connector for JMS for
release 2.7.5 and earlier releases.
| Resolved in Version | Severity (CVSS v3 Score) | Vulnerability ID | Solace Reference Number | Affected Products | Description |
|---|---|---|---|---|---|
| 2.7.5 | CVSS v3: 7.5 (HIGH) | DATAGO-100430 | Image |
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.
|
|
| 2.7.5 | CVSS v3: 7.5 | httpclient5-5.4.2.jar | DATAGO-99888 | JAR |
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release
|
| 2.7.2 | CVSS v3: 5.3 | spring-security-core-6.4.3.jar | DATAGO-97533 | JAR |
Spring Security 6.4.0 through 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. Your application may be affected by this if the following are true:
|
| 2.7.2 | CVSS v3: 7.4 | spring-security-crypto-6.4.3.jar | DATAGO-97534 | JAR |
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
|
| 2.7.2 | CVSS v3: 7.5 (HIGH) | DATAGO-96240 | Image |
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn\'t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
|
|
| 2.7.0 | CVSS v3: 7.5 | json-smart-2.5.1.jar | DATAGO-94030 | JAR |
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.
|
| 2.7.0 | CVSS v3: 7.5 | netty-handler-4.1.117.Final.jar | DATAGO-94911 | JAR |
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
|
| 2.7.0 | CVSS v3: 5.5 | netty-common-4.1.117.Final.jar | DATAGO-94912 | JAR |
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
|
| 2.5.2 | CVSS v3: 4.4 | logback-core-1.5.12.jar | DATAGO-91429 | JAR |
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
|
| 2.5.2 | CVSS v3: 6.6 | logback-classic-1.5.12.jar | DATAGO-91430 | JAR |
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
|
| 2.5.1 | CVSS v3: 9.8 | tomcat-embed-core-10.1.33.jar | DATAGO-91084 | JAR |
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
|
| 2.5.1 | CVSS v3: 5.3 | spring-webmvc-6.1.15.jar | DATAGO-91495 | JAR |
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
|
| 2.4.8 | CVSS v3: 7.5 | tomcat-embed-core-10.1.24.jar | DATAGO-79943 | JAR |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
|
| 2.4.8 | CVSS v3: 7.5 | spring-webmvc-6.1.13.jar | DATAGO-87570 | JAR |
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
| 2.4.8 | CVSS v3: 4.8 | spring-security-core-6.3.4.jar | DATAGO-89424 | JAR |
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
|
| 2.4.8 | CVSS v3: 5.5 | netty-common-4.1.114.Final.jar | DATAGO-89346 | JAR |
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
|
| 2.4.7 | CVSS v3: 9.1 | spring-security-web-6.3.3.jar | DATAGO-87581 | JAR |
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
|
| 2.4.7 | CVSS v3: 7.5 | spring-webmvc-6.1.13.jar | DATAGO-87571 | JAR |
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
| 2.4.6 | CVSS v3: 7.5 (HIGH) | DATAGO-85256 | Image |
### Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
|
|
| 2.4.6 | CVSS v3: 7.5 | spring-webmvc-6.1.12.jar | DATAGO-84986 | JAR |
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
| 2.4.3 | CVSS v3: 5.5 (MEDIUM) | DATAGO-78433 | JAR |
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
|
|
| 2.4.3 | CVSS v3: 6.5 | spring-web-6.1.11.jar | DATAGO-82871 | JAR |
Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.
|
| 2.4.3 | CVSS v3: 6.5 | spring-security-config-6.3.1.jar | DATAGO-83112 | JAR |
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
|
| 2.4.0 | CVSS v3: 5.5 | tomcat-embed-core-10.1.24.jar | DATAGO-79942 | JAR |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
|
| 2.4.0 | CVSS v3: 7.5 (HIGH) | DATAGO-79942 | Image |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
|
|
| 2.1.2 | CVSS v3: 5.9 | bcprov-jdk18on-1.77.jar | DATAGO-75573 | JAR |
BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).
|
| 2.1.2 | CVSS v3: 5.5 (MEDIUM) | DATAGO-74149 | JAR |
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
|
|
| 2.1.2 | CVSS v3: 7.5 (HIGH) | DATAGO-73977 | JAR |
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
|
|
| 2.1.2 | CVSS v3: 8.2 | spring-security-core-6.2.2.jar | DATAGO-73485 | JAR |
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
|
| 2.0.7 | CVSS v3: 8.1 | spring-web-6.1.5.jar | DATAGO-75012 | JAR |
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.
|
For more details, refer to the Release Notes page for the individual
Solace Messaging APIs.