Releases: prometheus/jmx_exporter
0.17.2 / 2022-09-22
Minor release updating the snakeyaml dependency from 1.31 to 1.32, because version 1.31 is vulnerable to CVE-2022-38752.
Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.
As always, the jmx_exporter binaries are available on Maven central:
- jmx_prometheus_javaagent-0.17.2.jar requires Java >= 7.
- jmx_prometheus_javaagent-0.17.2_java6.jar is compatible with Java 6.
- jmx_prometheus_httpserver-0.17.2.jar requires Java >= 7.
- jmx_prometheus_httpserver-0.17.2_java6.jar is compatible with Java 6.
Sounds like a deja vu? Yes, we had the same on 10 September when we updated snakeyaml from 1.30 to 1.31 because of CVE-2022-25857.
0.17.1 / 2022-09-10
Minor release updating the snakeyaml dependency from 1.30 to 1.31, because version 1.30 is vulnerable to CVE-2022-25857.
Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.
As always, the jmx_exporter binaries are available on Maven central:
- jmx_prometheus_javaagent-0.17.1.jar requires Java >= 7.
- jmx_prometheus_javaagent-0.17.1_java6.jar is compatible with Java 6.
- jmx_prometheus_httpserver-0.17.1.jar requires Java >= 7.
- jmx_prometheus_httpserver-0.17.1_java6.jar is compatible with Java 6.
0.17.0 / 2022-05-23
With the last release we started releasing two versions of the Java agent:
- jmx_prometheus_javaagent-0.17.0.jar requires Java >= 7.
- jmx_prometheus_javaagent-0.17.0_java6.jar is compatible with Java 6.
Both versions are built from the same code and differ only in the versions of the bundled dependencies.
With this release, we take a similar approach for the standalone HTTP server:
- jmx_prometheus_httpserver-0.17.0.jar requires Java >= 7.
- jmx_prometheus_httpserver-0.17.0_java6.jar is compatible with Java 6.
Again, both versions are built from the same code and differ only in the versions of the bundled dependencies.
Note that the standalone HTTP server release was previously named jmx_prometheus_httpserver-<version>-jar-with-dependencies.jar. With this release, we renamed it to jmx_prometheus_httpserver-<version>.jar.
Other changes:
- [BUGFIX] change the command line argument parser to allow
-characters in the hostname (#643, thanks @guignome for reporting). - [BUGFIX] Reduce cardinality of default help strings (#704, thanks @SuperQ).
- [ENHANCEMENT] Prevent remote JMX monitoring when started as a Java agent #675.
- [ENHANCEMENT] Add SSL support for the debugging
SslScraper(#699, thanks @michaelsembwever) - [ENHANCEMENT] Fall back to loading attributes 1-by-1 if bulk loading fails (#695, thanks @faenschi).
- [ENHANCEMENT] update dependency versions.
Contributors
Assets 2
0.16.1 / 2021-07-14
Release 0.16.1 ships in two versions:
- jmx_prometheus_javaagent-0.16.1.jar requires Java >= 7.
- jmx_prometheus_javaagent-0.16.1_java6.jar is compatible with Java 6.
Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency. See the 0.16.0 release notes for more details.
Change:
[BUGFIX] Remove misleading meta data from the Java 7+ binary that makes the Trivy security scanner wrongly report CVE-2017-18640 (the metadata references snakeyaml 1.23 even though that version is not included in the binary). See #618.
0.16.0 / 2021-07-04
Update SnakeYAML Dependency Version (#592)
Starting with version 0.16.0, the Java agent is released in two versions:
- jmx_prometheus_javaagent-0.16.0.jar requires Java >= 7.
- jmx_prometheus_javaagent-0.16.0_java6.jar is compatible with Java 6.
Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency.
jmx_exporter uses the snakeyaml library to read the YAML configuration file. Snakeyaml 1.23 is the last release to support Java 6. This version is affected by CVE-2017-18640, which can cause snakeyaml to execute arbitrary code if the YAML file comes from an untrusted source.
This vulnerability does not apply in the context of jmx_exporter, because the agent configuration will not come from an untrusted source. However, even if there is no actual security risk, users find it annoying that their automated security scans report a CVE. In order to prevent this we published a version with an updated snakeyaml dependency that requires Java >= 7.
Other Changes
- [BUGFIX] Leverages the interpolated help when the matching rule is cached (fixes #612) (#613)
- [ENHANCEMENT] Automated integration tests of different Java versions using Testcontainers. Docker needs to be installed on a system in order to run
./mvnw verify. - [ENHANCEMENT] Bump logback-classic version (#617)
- [ENHANCEMENT] Update to client_java 0.11.0
- [ENHANCEMENT] added support for
java.util.Optional(the SonarQube maintainers had this weird idea of anOptional<Long>property in an MBean)
0.15.0 / 2021-01-25
[CHANGE/ENHANCEMENT] Update to client_java 0.10.0 to add OpenMetrics support. Any COUNTER type samples will have _total added as a suffix if it isn't already present. If you do not want this, use the default type of UNKNOWN. (#321)
[ENHANCEMENT] Added a safety check to deal with incorrect implementations of javax.management.Attribute (#542)
0.14.0 / 2020-09-04
[FEATURE] Allow caching regular expression matching in rules (#518)
0.13.0 / 2020-05-12
[FEATURE] Added support for jmx attributes of type java.util.Date (#449)
[ENHANCEMENT] Include error message with exception when the agent fails to start. (#399)
[ENHANCEMENT] Allow specifying IPv6 address to bind to (#450)
[ENHANCEMENT] Bump client_java to 0.9.0, including adding /-/healthy (#495)
[BUGFIX] Handle NullPointerException for getAttributes (#444)