4.6.0
Upgrades: The installer will remove the prior release of OIE except directories that should persist during an upgrade (e.g. appdata, conf, extensions, logs).
New Contributors
Please congratulate and thank our new contributors. We sincerely appreciate their time and effort to improve OIE for everyone!
Docs
- @edthri OpenIntegrationEngine/docs-website@f0f8788
- @kryskool OpenIntegrationEngine/docs-website@3bb14ce
Engine
- @NicoPiel made their first contribution in #208
- @mhokanson made their first contribution in #178
- @VillePekka made their first contribution in #242
- @kryskool made their first contribution in #259
- @tibisabau made their first contribution in #255
- @dowel015 made their first contribution in #28
What's new?
Breaking changes
- Java 17 minimum. Older JVMs are no longer supported. [#cafed0eb]. The software is developed and tested in java 17. Later Java LTS versions should work but are not officially tested.(cafed0eb) #3f65d2f6 #384682fe
- Xerces and xml-apis dependencies removed. Custom code that imports
org.apache.xerces.*directly will need to migrate tojavax.xml.parsers.*/org.xml.sax.*. #05ecb1f5 #d97c1f16 - Username login behavior changed. Logins are now case-insensitive by default. Existing accounts with case-sensitive usernames continue to work via a compatibility path. #dc038da4 #43bcd32b
New features
serverNamevariable available in alert templates, useful for multi-instance deployments. #9a36030b- Environment variable substitution in config files for the CLI Resolves issue #205 #da0757e9
- JavaScript pretty-printer — manually format JS in the editor. #7910253d
- Toggle Comment action added to the editor's right-click context menu. #98dde206
Improvements
- HTTP parameter map order is now preserved. Code that depended on the previous non-deterministic ordering may behave differently. #82ec38b3
- Link to Administrator launcher options added to the landing web-page UI. #9349375e
- Message search performance: ResultSet metadata is now cached in
getMetaDataMapByMessageIdto avoid per-row lookups. #1cafc2e4 - Faster extension load — chatty API calls during startup were eliminated. #59674d01
- Default Administrator color updated to suit OIE brand identity #eb363621
- Date/time search behavior is now consistent with the table view. #7fd767d4
- NCPDP display name updated to specify the standard rather than the standards body. #522f0f36
- Improved MessageFilter logging and refactored search element styles, with new JUnit tests. #7311e1b4 #bfe3348d
- Removed the SSL warning panel and the NextGen advertisement from the client. #bffc3494
- Additional
--add-opensmodule options added to the defaultvmoptionsfile. #ec57fb07 Clientis nowAutoCloseablewith an idempotentclose(). #8e040c7d #05aacfb3- Replaced
SimpleDateFormatwithDateTimeFormatterfor thread safety. #fa8957d8 - Added missing javadoc for User API classes. #d934af20
Bug fixes
- Fixed migration failure when upgrading to 4.5.2. #db8615f6
- Fixed 500 error on
/api/openapi.yaml. #8f103d64 - Fixed Events UI Message Filter not displaying status correctly. #7c855937
- Fixed
JXTreeTable.getEditingRowbug. This fix is significant for MacOS errors from the OIE client #be058f69 - Fixed clipboard error when an image is in the clipboard. This fix helps Linux users when an image was copied to the clipboard #5203b3a3
- Fixed potential data loss when saving plugin properties. #5ff97155
- Fixed log4j2 directory property migration, with zip compression added. #cf36b707 #a6ae879f #f7a1b43e
Dependency updates
- log4j: 2.17.2 → 2.25.3 #0f0d8a40
- PostgreSQL JDBC driver: 42.6.0 → 42.7.8 #8e1bf746
- jSch: updated to 2.27.0, then 2.27.7 #141e612c #8ec5ab79
- commons-lang3: 3.13.0 → 3.20.0 #6eed2703
- commons-text: 1.10.0 → 1.15.0 #cccc1813
- apache-jsp jar replaced with the correct version;
.classpathfiles updated. #4b46efa5 #d925e2d0 - Xerces / xml-apis: removed (see Breaking changes).
- Broader commons and javax → jakarta dependency upgrades. #346cc458
- General dependency jar refresh. #57bc9e7c
Build & CI
- CI build bumped to Java 17. #cafed0eb
- Unit tests and JaCoCo updated to Java 17. #3f65d2f6
- Build property added for jar entry modification times. #e6868ea0
- Timestamps removed from generated javadoc pages. #21b56dee
- Standardized test output. #0c580f66
- Added comprehensive clean targets and legacy cleanup. #4a28bfdd
- Secure test result reporting via GitHub Actions. #04b533b6
- Build fails if tests fail. #41858d4d
- Version string centralized instead of duplicated across modules. #49b58846
disableTests=truebuild flag to skip tests when needed. #90fdd188- Skip JAR signing permissions step for unsigned builds. #371f0414
Security — CVEs Addressed
This release remediates 24 known CVEs (1 Critical, 10 High, 12 Medium, 1 Low)
through dependency upgrades.
PostgreSQL JDBC driver (42.6.0 → 42.7.8) (8e1bf74)
- CVE-2024-1597 (Critical) — SQL injection via the non-default
preferQueryMode=simplequery path.
Apache Commons BeanUtils (1.9.4 → 1.11.0) (346cc45)
- CVE-2025-48734 (High) — Improper access control allowing reflective
access to the Java ClassLoader via enum properties.
Eclipse Jetty (9.4.53 → 9.4.57) (57bc9e7)
- CVE-2024-13009 (High) — GzipHandler buffer mismanagement causing
cross-request data corruption. - CVE-2024-22201 (High) — HTTP/2-over-TLS connection-leak denial of service.
- CVE-2024-8184 (Medium) — ThreadLimitHandler unbounded-map denial of service.
- CVE-2024-9823 (Medium) — DoSFilter out-of-memory via session tracking.
Netty (4.1.97 → 4.1.119) (57bc9e7)
- CVE-2023-44487 (High) — HTTP/2 "Rapid Reset" denial of service.
- CVE-2025-24970 (High) — SslHandler native crash on a crafted packet.
- CVE-2024-29025 (Medium) — HttpPostRequestDecoder out-of-memory.
- CVE-2024-47535 (Medium) — Unsafe environment-file read out-of-memory.
- CVE-2025-25193 (Medium) — Follow-up fix to the environment-file DoS.
Apache Commons Email (1.3.1 → 1.6.0) (57bc9e7)
- CVE-2017-9801 (High) — SMTP/CRLF header injection via the message subject.
- CVE-2018-1294 (High) — SMTP/CRLF injection via the bounce address.
Apache Commons IO (2.13.0 → 2.21.0) (346cc45)
- CVE-2024-47554 (High) — Uncontrolled resource consumption in XmlStreamReader.
Apache Commons Configuration2 (2.8.0 → 2.13.0) (346cc45)
- CVE-2024-29131 (High) — StackOverflowError denial of service.
- CVE-2024-29133 (Medium) — Companion StackOverflowError denial of service.
Google Guava (28.2-jre → 32.0.1-jre) (57bc9e7)
- CVE-2023-2976 (High) — Information disclosure via world-readable temp files.
- CVE-2020-8908 (Low) — Information disclosure via a world-readable temp directory.
Apache Commons Compress (1.24.0 → 1.28.0) (346cc45)
- CVE-2024-25710 (Medium) — Infinite-loop denial of service (DUMP archives).
- CVE-2024-26308 (Medium) — Out-of-memory denial of service (Pack200).
Apache Commons Lang3 (3.13.0 → 3.20.0) (6eed270)
- CVE-2025-48924 (Medium) — Uncontrolled recursion in ClassUtils.getClass.
Apache Commons Net (3.3 → 3.9.0) (57bc9e7)
- CVE-2021-37533 (Medium) — FTP client trusts host from the PASV response (SSRF).
Apache Log4j 2 (2.17.2 → 2.25.3) (0f0d8a4)
- CVE-2025-68161 (Medium) — SocketAppender TLS hostname-verification bypass.
ClassGraph (4.8.53 → 4.8.179) (57bc9e7)
- CVE-2021-47621 (Medium) — XXE in the pom.xml version-detection parser.
Documentation
- Updated
CONTRIBUTING.mdwith a better git clone reference. #34712507
Full Changelog
Issues and Pull Requests: milestone 4.6.0
All commits: v4.5.2...v4.6.0