Java Buildpack v4.45
·
189 commits
to main
since this release
v4.45
pivotal-david-osullivan
David O'Sullivan
This tag was signed with the committer’s verified signature.
pivotal-david-osullivan
David O'Sullivan
f1b695a
This commit was signed with the committer’s verified signature.
pivotal-david-osullivan
David O'Sullivan
I'm pleased to announce the release of the java-buildpack, version 4.45. This release focuses on dependency updates, primarily that fix the latest Apache Log4j2 vulnerability, CVE-2021-45046, in dependencies used by the Java buildpack.
- In particular, the following dependencies were known to be vulnerable to CVE-2021-45046 & have been patched in this release:
- AppDynamics Java Agent
- New Relic Java Agent
If you are using an online version of the Java buildpack you do not strictly need this update, as the online buildpack will always pick the latest version of dependencies.
For a more detailed look at the changes in 4.45, please take a look at the commit log. The packaged version of the buildpack, suitable for use with create-buildpack and update-buildpack, can be found attached to this release.
Packaged Dependencies
| Dependency | Version | CVEs | Release Notes |
|---|---|---|---|
| AppDynamics Agent | 21.11.2_33305 |
Release Notes | |
| Azure Application Insights Agent | 2.6.2 |
Release Notes | |
| CA Introscope APM Framework | 21.11.0_20 |
||
| Client Certificate Mapper | 1.11.0_RELEASE |
Included inline above | Included inline above |
| Container Security Provider | 1.19.0_RELEASE |
Included inline above | Included inline above |
| Contrast Security Agent | 3.9.0_23766 |
Release Notes | |
| Datadog APM Javaagent | 0.91.0 |
Release Notes | |
| Elastic APM Agent | 1.28.1 |
Release Notes | |
| Gemalto Luna Security Provider | 7.4.0 |
Release Notes | |
| Gemalto ProtectApp Security Provider | 8.4.0 |
||
| Geode Tomcat Session Store | 1.13.4 |
||
| Google Stackdriver Debugger | 2.29.0 |
Release Notes | |
| Google Stackdriver Profiler | 0.1.0 |
Release Notes | |
| Groovy | 2.5.15 |
Release Notes | |
| JaCoCo Agent | 0.8.7 |
Release Notes | |
| Java Memory Assistant Agent | 0.5.0 |
||
| Java Memory Assistant Clean Up | 0.1.0 |
||
| JProfiler Profiler | 12.0.4 |
ChangeLog | |
| JRebel Agent | 2021.4.2 |
ChangeLog | |
| jvmkill Agent | 1.16.0_RELEASE |
Included inline above | Included inline above |
| MariaDB JDBC Driver | 2.7.2 |
Release Notes | |
| Memory Calculator | 3.13.0_RELEASE |
Included inline above | Included inline above |
| Metric Writer | 3.5.0_RELEASE |
Included inline above | Included inline above |
| New Relic Agent | 7.4.2 |
Release Notes | |
| OpenJDK JRE | 1.8.0_312 |
Risk Matrix | Release Notes |
| OpenJDK JRE 11 | 11.0.13_8 |
Risk Matrix | Release Notes |
| OpenJDK JRE 17 | 17.0.1_12 |
Risk Matrix | Release Notes |
| PostgreSQL JDBC Driver | 42.3.1 |
ChangeLog | |
| Redis Session Store | 1.3.6_RELEASE |
Included inline above | Included inline above |
| Riverbed Appinternals Agent | 11.8.5_BL527 |
||
| SeaLights Agent | 3.1.2056 |
||
| SkyWalking | 6.6.0 |
ChangeLog | |
| Spring Auto-reconfiguration | 2.12.0_RELEASE |
Included inline above | Included inline above |
| Spring Boot CLI | 2.6.1 |
||
| Spring Boot Container Customizer | 2.6.0_RELEASE |
Included inline above | Included inline above |
| Takipi Agent | 4.64.2 |
Release Notes | |
| Tomcat | 9.0.56 |
Security | ChangeLog |
| Tomcat Access Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Lifecycle Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| Tomcat Logging Support | 3.3.0_RELEASE |
Included inline above | Included inline above |
| YourKit Profiler | 2021.11.221 |
Release Notes |
Dependency Notes
- Elastic APM Agent release was updated to version 1.28.1 in the previous Java Buildpack release 4.44. This version contains a fix which covers both CVE-2021-44228 & CVE-2021-45046
- Thales ProtectApp has not released an update with patches for either CVE-2021-44228 or CVE-2021-45046. We have contacted the vendor to request one and are awaiting a fix. Because this needs to come from a 3rd party vendor we cannot provide a timeline for when this will happen. If you are using ProtectApp and have a support contract with the vendor, we suggest you file a ticket and also request a patch.
- A release for the Geode Session store that can be used with Tomcat to resolve CVE-2021-45046 is pending. We are in contact with the development team and are awaiting a release with the fix. As soon as this is available, we'll be cutting a new release of the Java buildpack with that fix.