Releases: cloudfoundry/java-buildpack
Java Buildpack v4.49.1
I'm pleased to announce the release of the java-buildpack, version 4.49.1. This release is a dependency update-only release. It primarily includes new OpenJDK versions, which are based on the Oracle Java Quarterly Updates for July 2022. These versions include bug and security fixes. See the Risk Matrix link below for more details.
Two additional notes, we have fixed #955, so the buildpack should be working with IBM JREs and we have had to remove Takipi #956 until further notice. The repository where binaries for the Takipi agent have been hosted is no longer working and we have been unable to get the problem rectified with the vendor. If and when we are able to get the problem resolved, we'll add Takipi back into the buildpack.
For a more detailed look at the changes in 4.49.1, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Deprecation of Spring Cloud Connectors & Spring Auto Reconfiguration
Please continue to be aware of this change from v4.49. See the release notes there for details. As before, you may post feedback/comments to this issue.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 22.6.0_33917 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 22.6.0_6 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.18.1 |
Release Notes | |
| Datadog APM Javaagent | 0.104.0 |
Release Notes | |
| Elastic APM Agent | 1.33.0 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Geode Tomcat Session Store | 1.12.5 |
||
| Google Stackdriver Debugger | 2.30.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.17 |
Release Notes | |
| JaCoCo Agent | 0.8.8 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2022.3.0 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.8.0 |
Release Notes | |
| OpenJDK JRE | 1.8.0_342 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.16_8 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.4_8 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.4.0 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2101 |
||
| SkyWalking | 8.9.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.7.2 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Tomcat | 9.0.65 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2022.3.100 |
Release Notes |
Java Buildpack v4.49
I'm pleased to announce the release of the java-buildpack, version 4.49. This is primarily a house-cleaning release.
- In preparation for cflinuxfs4, the buildpack has been made compliant with Ruby 3.0 & it is now being tested every release against Ruby 3.0
- The ProtectApp framework was removed. This is because the upstream vendor's download site has gone offline and we no longer have the means to distribute it. For the same reason, the download location for Luna has changed from the vendor to the default repository.
- Resolve #935 by permitting raw type values in Elastic APM config (#946)
- Add deprecation warnings around SAR/SCC. See more about this below.
- Facilitate migrations to
java-cfenvby disabling SAR/SCC automatically ifjava-cfenvis included with the application.
For a more detailed look at the changes in 4.49, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Deprecation of Spring Cloud Connectors & Spring Auto Reconfiguration
The buildpack will now inspect your applications and WARN if you are using Spring Cloud Connectors (deprecated since 2019, set to be archived after Dec 2022) and Spring Auto Reconfiguration (now deprecated with this release). In addition, the buildpack will automatically disable SAR/SCC when you have java-cfenv present in your application. This make migration easier as the two should not be used together, and it also prevents spurious warnings since the presence of this library means you are in the process of or have already moved to java-cfenv.
From now on, everyone should use java-cfenv for parsing service bindings and auto-configuring services. The CloudFoundry documentation has been updated with usage instructions as well as a migration guide.
Please be extra cautious when migrating as java-cfenv does not enable the cloud profile automatically. When you add this dependency, the buildpack will disable SAR/SCC which also disables the profile. As is documented in the migration guide, you need to manually enable this profile if it's required by your application.
The buildpack will continue to WARN users through the end of Aug 2022. After that time, the default behavior will change and the buildpack will not include Spring Auto Reconfiguration unless it's specifically requested. The buildpack will remove all support for Spring Auto Reconfiguration after Dec 2022.
You may post feedback/comments to this issue.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 22.5.0_33845 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 22.3.0_26 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.15.0_27227 |
Release Notes | |
| Datadog APM Javaagent | 0.101.0 |
Release Notes | |
| Elastic APM Agent | 1.31.0 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Geode Tomcat Session Store | 1.12.5 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.16 |
Release Notes | |
| JaCoCo Agent | 0.8.8 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2022.2.1 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.7.0 |
Release Notes | |
| OpenJDK JRE | 1.8.0_332 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.15_10 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.3_7 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.6 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2093 |
||
| SkyWalking | 8.9.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.7.0 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Tomcat | 9.0.63 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2022.3.100 |
Release Notes |
Dependency Notes
- ProtectApp has been removed. See the note above.
- Takipi Agent is not included with this release because, at the time of release, the download site was unavailable. We are working with the vendor to remedy this & will enable support once the site is back up.
Java Buildpack v4.48.3
I'm pleased to announce the release of the java-buildpack, version 4.48.3. This release is a dependency update-only release. It primarily includes new OpenJDK versions, which are based on the Oracle Java Quarterly Updates for April 2022. These versions include bug and security fixes, notably a fix for CVE-2022-21449. See the Risk Matrix link below for more details.
For a more detailed look at the changes in 4.48.3, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 22.3.0_33637 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 22.3.0_26 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.13.0_26267 |
Release Notes | |
| Datadog APM Javaagent | 0.99.0 |
Release Notes | |
| Elastic APM Agent | 1.30.1 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.12.5 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.16 |
Release Notes | |
| JaCoCo Agent | 0.8.8 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2022.2.0 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.6.0 |
Release Notes | |
| OpenJDK JRE | 1.8.0_332 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.15_10 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.3_7 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.4 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2089 |
||
| SkyWalking | 8.9.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.7 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.66.2 |
Release Notes | |
| Tomcat | 9.0.62 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2022.3.96 |
Release Notes |
Dependency Notes
None
Java Buildpack v4.48.2
I'm pleased to announce the release of the java-buildpack, version 4.48.2. This release is a dependency update-only release. It primarily bumps Apache Tomcat which includes a mitigation for CVE-2022-22965 a Spring Framework vulnerability.
For a more detailed look at the changes in 4.48.2, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 22.3.0_33637 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 22.3.0_26 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.11.0_25821 |
Release Notes | |
| Datadog APM Javaagent | 0.98.1 |
Release Notes | |
| Elastic APM Agent | 1.30.0 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.12.5 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.16 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2022.1.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.5.0 |
Release Notes | |
| OpenJDK JRE | 1.8.0_322 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.14_9 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.2_9 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.3 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2079 |
||
| SkyWalking | 8.9.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.6 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.62 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2022.3.96 |
Release Notes |
Dependency Notes
None
Java Buildpack v4.48.1
I'm pleased to announce the release of the java-buildpack, version 4.48.1. This release is a dependency update-only release. It primarily bumps Apache Tomcat and Geode Tomcat session store, the latter of which fixes a critical NullPointerException bug.
For a more detailed look at the changes in 4.48.1, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 22.2.0_33545 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.9.1_25108 |
Release Notes | |
| Datadog APM Javaagent | 0.96.0 |
Release Notes | |
| Elastic APM Agent | 1.29.0 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.12.5 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.16 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2022.1.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.5.0 |
Release Notes | |
| OpenJDK JRE | 1.8.0_322 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.14_9 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.2_9 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.3 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2070 |
||
| SkyWalking | 8.9.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.4 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.59 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.227 |
Release Notes |
Dependency Notes
None
Java Buildpack v4.48
I'm pleased to announce the release of the java-buildpack, version 4.48. This release focuses on dependency updates, primarily the latest Java/OpenJDK quarterly updates.
Other notable changes:
- We have bumped the Apache SkyWalking version to 8.8.0. This is the latest supported version at the time of publishing. Please be aware of this change if you are using the Apache SkyWalking agent as this is a major version increase.
- #926 resolves a classpath problem when using the Luna Security Provider on Java 9+.
- This release pulls in new versions of App Dynamic and New Relic that include patches for CVE-2021-44832.
For a more detailed look at the changes in 4.48, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 21.11.4_33358 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.9.0_24156 |
Release Notes | |
| Datadog APM Javaagent | 0.93.0 |
Release Notes | |
| Elastic APM Agent | 1.28.4 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.12.4 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.15 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2022.1.0 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.5.0 |
Release Notes | |
| OpenJDK JRE | 1.8.0_322 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.14_9 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.2_9 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.1 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2056 |
||
| SkyWalking | 8.8.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.3 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.58 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.225 |
Release Notes |
Dependency Notes
- This version brings in new versions of the JVM released by the OpenJDK project. These are quarterly updates that bring in bug and security fixes. We recommend that everyone read the linked release notes for the versions of the JVM you are consuming in preparation for upgrading buildpacks.
Java Buildpack v4.47
I'm pleased to announce the release of the java-buildpack, version 4.47. This release focuses on dependency updates, primarily that fix the latest Apache Log4j2 vulnerability, CVE-2021-45105, in dependencies used by the Java buildpack.
In particular, the following dependencies have been updated to include Log4j 2.17.0 and have been patched in this release:
- AppDynamics Java Agent (21.11.3)
- New Relic Java Agent (7.4.3)
If you are using an online version of the Java buildpack you do not strictly need this update, as the online buildpack will always pick the latest version of dependencies.
For a more detailed look at the changes in 4.47, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 21.11.3_33314 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.9.0_23825 |
Release Notes | |
| Datadog APM Javaagent | 0.92.0 |
Release Notes | |
| Elastic APM Agent | 1.28.2 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.12.4 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.15 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2021.4.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.4.3 |
Release Notes | |
| OpenJDK JRE | 1.8.0_312 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.13_8 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.1_12 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.1 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2056 |
||
| SkyWalking | 6.6.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.1 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.56 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.221 |
Release Notes |
Dependency Notes
- Elastic APM have announced that their Java agent is not vulnerable to CVE-2021-45105
- The Geode Tomcat Session Store dependency is also not vulnerable due to the specific configuration required.
- Thales (formerly Gemalto) ProtectApp has not released an update with patches for either CVE-2021-44228, CVE-2021-45046 & CVE-2021-45105. We have contacted the vendor to request one and are awaiting a fix. Because this needs to come from a 3rd party vendor we cannot provide a timeline for when this will happen. If you are using ProtectApp and have a support contract with the vendor, we suggest you file a ticket and also request a patch.
Java Buildpack v4.46
I'm pleased to announce the release of the java-buildpack, version 4.46. This release focuses on dependency updates, primarily that fix the latest Apache Log4j2 vulnerability, CVE-2021-45046, in dependencies used by the Java buildpack.
Updated dependencies include:
- Elastic APM Agent 1.28.2
- Contrast Security Agent 3.9.0_23825
In particular, the following dependencies were known to be vulnerable to CVE-2021-45046 & have been patched in this release:
- Geode Tomcat Session Store 1.12.4
If you are using an online version of the Java buildpack you do not strictly need this update, as the online buildpack will always pick the latest version of dependencies.
For a more detailed look at the changes in 4.46, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 21.11.2_33305 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.9.0_23825 |
Release Notes | |
| Datadog APM Javaagent | 0.92.0 |
Release Notes | |
| Elastic APM Agent | 1.28.2 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.12.4 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.15 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2021.4.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.4.2 |
Release Notes | |
| OpenJDK JRE | 1.8.0_312 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.13_8 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.1_12 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.1 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2056 |
||
| SkyWalking | 6.6.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.1 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.56 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.221 |
Release Notes |
Dependency Notes
- Thales (formerly Gemalto) ProtectApp has not released an update with patches for either CVE-2021-44228 or CVE-2021-45046. We have contacted the vendor to request one and are awaiting a fix. Because this needs to come from a 3rd party vendor we cannot provide a timeline for when this will happen. If you are using ProtectApp and have a support contract with the vendor, we suggest you file a ticket and also request a patch.
Java Buildpack v4.45
I'm pleased to announce the release of the java-buildpack, version 4.45. This release focuses on dependency updates, primarily that fix the latest Apache Log4j2 vulnerability, CVE-2021-45046, in dependencies used by the Java buildpack.
- In particular, the following dependencies were known to be vulnerable to CVE-2021-45046 & have been patched in this release:
- AppDynamics Java Agent
- New Relic Java Agent
If you are using an online version of the Java buildpack you do not strictly need this update, as the online buildpack will always pick the latest version of dependencies.
For a more detailed look at the changes in 4.45, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 21.11.2_33305 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.9.0_23766 |
Release Notes | |
| Datadog APM Javaagent | 0.91.0 |
Release Notes | |
| Elastic APM Agent | 1.28.1 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.13.4 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.15 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2021.4.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.4.2 |
Release Notes | |
| OpenJDK JRE | 1.8.0_312 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.13_8 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.1_12 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.1 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2056 |
||
| SkyWalking | 6.6.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.1 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.56 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.221 |
Release Notes |
Dependency Notes
- Elastic APM Agent release was updated to version 1.28.1 in the previous Java Buildpack release 4.44. This version contains a fix which covers both CVE-2021-44228 & CVE-2021-45046
- Thales ProtectApp has not released an update with patches for either CVE-2021-44228 or CVE-2021-45046. We have contacted the vendor to request one and are awaiting a fix. Because this needs to come from a 3rd party vendor we cannot provide a timeline for when this will happen. If you are using ProtectApp and have a support contract with the vendor, we suggest you file a ticket and also request a patch.
- A release for the Geode Session store that can be used with Tomcat to resolve CVE-2021-45046 is pending. We are in contact with the development team and are awaiting a release with the fix. As soon as this is available, we'll be cutting a new release of the Java buildpack with that fix.
Java Buildpack v4.44
I'm pleased to announce the release of the java-buildpack, version 4.44. This release focuses on dependency updates, primarily that fix the Apache Log4j2 vulnerability, CVE-2021-44228, in dependencies used by the Java buildpack.
- Fixed case in networkzone query parameter (@arthfl via #915)
- In particular, the following dependencies were known to be vulnerable to CVE-2021-44228 & have been patched in this release:
- AppDynamics Java Agent
- Elastic APM Java Agent
- New Relic Java Agent
- Geode Tomcat Session Store
If you are using an online version of the Java buildpack you do not strictly need this update, as the online buildpack will always pick the latest version of dependencies.
For a more detailed look at the changes in 4.44, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 21.11.1_33280 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.8.11_23624 |
Release Notes | |
| Datadog APM Javaagent | 0.91.0 |
Release Notes | |
| Elastic APM Agent | 1.28.1 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.13.4 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.15 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2021.4.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.4.1 |
Release Notes | |
| OpenJDK JRE | 1.8.0_312 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.13_8 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.1_12 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.1 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2056 |
||
| SkyWalking | 6.6.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.1 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.63.0 |
Release Notes | |
| Tomcat | 9.0.56 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.221 |
Release Notes |
Dependency Notes
- The buildpack is shipping Geode Tomcat Session Store
1.13.4, which uses Apache Geode1.13.5and contains a fix for the Apache Log4j2 vulnerability, CVE-2021-44228. - This version of the buildpack should not be used as it only contains partial fixes for the Log4j2 vulnerabilities. This version includes patches for CVE-2021-44228 for affected 3rd party dependencies (the buildpack itself is not impacted at all) but it does not include patches for CVE-2021-45046. You need version 4.45 of the Java buildpack to be completely patched.
