Skip to content

v4.6.0

Latest

Choose a tag to compare

@tonygermano tonygermano released this 09 Jul 16:39

4.6.0

Upgrades: The installer will remove the prior release of OIE except directories that should persist during an upgrade (e.g. appdata, conf, extensions, logs).

New Contributors

Please congratulate and thank our new contributors. We sincerely appreciate their time and effort to improve OIE for everyone!

Docs

Engine

What's new?

Breaking changes

  • Java 17 minimum. Older JVMs are no longer supported. [#cafed0eb]. The software is developed and tested in java 17. Later Java LTS versions should work but are not officially tested.(cafed0eb) #3f65d2f6 #384682fe
  • Xerces and xml-apis dependencies removed. Custom code that imports org.apache.xerces.* directly will need to migrate to javax.xml.parsers.* / org.xml.sax.*. #05ecb1f5 #d97c1f16
  • Username login behavior changed. Logins are now case-insensitive by default. Existing accounts with case-sensitive usernames continue to work via a compatibility path. #dc038da4 #43bcd32b

New features

  • serverName variable available in alert templates, useful for multi-instance deployments. #9a36030b
  • Environment variable substitution in config files for the CLI Resolves issue #205 #da0757e9
  • JavaScript pretty-printer — manually format JS in the editor. #7910253d
  • Toggle Comment action added to the editor's right-click context menu. #98dde206

Improvements

  • HTTP parameter map order is now preserved. Code that depended on the previous non-deterministic ordering may behave differently. #82ec38b3
  • Link to Administrator launcher options added to the landing web-page UI. #9349375e
  • Message search performance: ResultSet metadata is now cached in getMetaDataMapByMessageId to avoid per-row lookups. #1cafc2e4
  • Faster extension load — chatty API calls during startup were eliminated. #59674d01
  • Default Administrator color updated to suit OIE brand identity #eb363621
  • Date/time search behavior is now consistent with the table view. #7fd767d4
  • NCPDP display name updated to specify the standard rather than the standards body. #522f0f36
  • Improved MessageFilter logging and refactored search element styles, with new JUnit tests. #7311e1b4 #bfe3348d
  • Removed the SSL warning panel and the NextGen advertisement from the client. #bffc3494
  • Additional --add-opens module options added to the default vmoptions file. #ec57fb07
  • Client is now AutoCloseable with an idempotent close(). #8e040c7d #05aacfb3
  • Replaced SimpleDateFormat with DateTimeFormatter for thread safety. #fa8957d8
  • Added missing javadoc for User API classes. #d934af20

Bug fixes

  • Fixed migration failure when upgrading to 4.5.2. #db8615f6
  • Fixed 500 error on /api/openapi.yaml. #8f103d64
  • Fixed Events UI Message Filter not displaying status correctly. #7c855937
  • Fixed JXTreeTable.getEditingRow bug. This fix is significant for MacOS errors from the OIE client #be058f69
  • Fixed clipboard error when an image is in the clipboard. This fix helps Linux users when an image was copied to the clipboard #5203b3a3
  • Fixed potential data loss when saving plugin properties. #5ff97155
  • Fixed log4j2 directory property migration, with zip compression added. #cf36b707 #a6ae879f #f7a1b43e

Dependency updates

  • log4j: 2.17.2 → 2.25.3 #0f0d8a40
  • PostgreSQL JDBC driver: 42.6.0 → 42.7.8 #8e1bf746
  • jSch: updated to 2.27.0, then 2.27.7 #141e612c #8ec5ab79
  • commons-lang3: 3.13.0 → 3.20.0 #6eed2703
  • commons-text: 1.10.0 → 1.15.0 #cccc1813
  • apache-jsp jar replaced with the correct version; .classpath files updated. #4b46efa5 #d925e2d0
  • Xerces / xml-apis: removed (see Breaking changes).
  • Broader commons and javax → jakarta dependency upgrades. #346cc458
  • General dependency jar refresh. #57bc9e7c

Build & CI

  • CI build bumped to Java 17. #cafed0eb
  • Unit tests and JaCoCo updated to Java 17. #3f65d2f6
  • Build property added for jar entry modification times. #e6868ea0
  • Timestamps removed from generated javadoc pages. #21b56dee
  • Standardized test output. #0c580f66
  • Added comprehensive clean targets and legacy cleanup. #4a28bfdd
  • Secure test result reporting via GitHub Actions. #04b533b6
  • Build fails if tests fail. #41858d4d
  • Version string centralized instead of duplicated across modules. #49b58846
  • disableTests=true build flag to skip tests when needed. #90fdd188
  • Skip JAR signing permissions step for unsigned builds. #371f0414

Security — CVEs Addressed

This release remediates 24 known CVEs (1 Critical, 10 High, 12 Medium, 1 Low)
through dependency upgrades.

PostgreSQL JDBC driver (42.6.0 → 42.7.8) (8e1bf74)

  • CVE-2024-1597 (Critical) — SQL injection via the non-default
    preferQueryMode=simple query path.

Apache Commons BeanUtils (1.9.4 → 1.11.0) (346cc45)

  • CVE-2025-48734 (High) — Improper access control allowing reflective
    access to the Java ClassLoader via enum properties.

Eclipse Jetty (9.4.53 → 9.4.57) (57bc9e7)

  • CVE-2024-13009 (High) — GzipHandler buffer mismanagement causing
    cross-request data corruption.
  • CVE-2024-22201 (High) — HTTP/2-over-TLS connection-leak denial of service.
  • CVE-2024-8184 (Medium) — ThreadLimitHandler unbounded-map denial of service.
  • CVE-2024-9823 (Medium) — DoSFilter out-of-memory via session tracking.

Netty (4.1.97 → 4.1.119) (57bc9e7)

Apache Commons Email (1.3.1 → 1.6.0) (57bc9e7)

  • CVE-2017-9801 (High) — SMTP/CRLF header injection via the message subject.
  • CVE-2018-1294 (High) — SMTP/CRLF injection via the bounce address.

Apache Commons IO (2.13.0 → 2.21.0) (346cc45)

  • CVE-2024-47554 (High) — Uncontrolled resource consumption in XmlStreamReader.

Apache Commons Configuration2 (2.8.0 → 2.13.0) (346cc45)

  • CVE-2024-29131 (High) — StackOverflowError denial of service.
  • CVE-2024-29133 (Medium) — Companion StackOverflowError denial of service.

Google Guava (28.2-jre → 32.0.1-jre) (57bc9e7)

  • CVE-2023-2976 (High) — Information disclosure via world-readable temp files.
  • CVE-2020-8908 (Low) — Information disclosure via a world-readable temp directory.

Apache Commons Compress (1.24.0 → 1.28.0) (346cc45)

  • CVE-2024-25710 (Medium) — Infinite-loop denial of service (DUMP archives).
  • CVE-2024-26308 (Medium) — Out-of-memory denial of service (Pack200).

Apache Commons Lang3 (3.13.0 → 3.20.0) (6eed270)

  • CVE-2025-48924 (Medium) — Uncontrolled recursion in ClassUtils.getClass.

Apache Commons Net (3.3 → 3.9.0) (57bc9e7)

  • CVE-2021-37533 (Medium) — FTP client trusts host from the PASV response (SSRF).

Apache Log4j 2 (2.17.2 → 2.25.3) (0f0d8a4)

  • CVE-2025-68161 (Medium) — SocketAppender TLS hostname-verification bypass.

ClassGraph (4.8.53 → 4.8.179) (57bc9e7)

  • CVE-2021-47621 (Medium) — XXE in the pom.xml version-detection parser.

Documentation

  • Updated CONTRIBUTING.md with a better git clone reference. #34712507

Full Changelog

Issues and Pull Requests: milestone 4.6.0
All commits: v4.5.2...v4.6.0