Release Notes for Red Hat build of Apache Camel for Spring Boot
What's new in Red Hat build of Apache Camel
Abstract
Chapter 1. Red Hat build of Apache Camel for Spring Boot 4.4 release notes
1.1. Features in Red Hat build of Apache Camel for Spring Boot
Red Hat build of Apache Camel for Spring Boot introduces Camel support for Spring Boot which provides auto-configuration of Camel, and starters for many Camel components. The opinionated auto-configuration of the Camel context auto-detects Camel routes available in the Spring context and registers key Camel utilities (like producer template, consumer template and the type converter) as beans.
1.2. Supported platforms, configurations, databases, and extensions for Red Hat build of Apache Camel for Spring Boot
- For information about supported platforms, configurations, and databases in Red Hat build of Apache Camel for Spring Boot, see the Supported Configuration page on the Customer Portal (login required).
- For a list of Red Hat Red Hat build of Apache Camel for Spring Boot extensions, see the Red Hat build of Apache Camel for Spring Boot Reference (login required).
1.3. The javax to jakarta Package Namespace Change
The Java EE move to the Eclipse Foundation and the establishment of Jakarta EE, since Jakarta EE 9, packages used for all EE APIs have changed to jakarta.*
Code snippets in documentation have been updated to use the jakarta.* namespace, but you of course need to take care and review your own applications.
This change does not affect javax packages that are part of Java SE.
When migrating applications to EE 10, you need to:
-
Update any import statements or other source code uses of EE API classes from the
javaxpackage tojakarta. -
Change any EE-specified system properties or other configuration properties whose names begin with
javax.to begin withjakarta.. -
Use the
META-INF/services/jakarta.[rest_of_name]name format to identify implementation classes in your applications that use the implement EE interfaces or abstract classes bootstrapped with thejava.util.ServiceLoadermechanism.
1.3.1. Migration tools
- Source code migration: How to use Red Hat Migration Toolkit for Auto-Migration of an Application to the Jakarta EE 10 Namespace
- Bytecode transforms: For cases where source code migration is not an option, the open source Eclipse Transformer
Additional resources
- Background: Update on Jakarta EE Rights to Java Trademarks
- Red Hat Customer Portal: Red Hat JBoss EAP Application Migration from Jakarta EE 8 to EE 10
- Jakarta EE: Javax to Jakarta Namespace Ecosystem Progress
1.4. Important notes for Red Hat build of Apache Camel for Spring Boot
1.4.1. Support for IBM Power and IBM Z
Red Hat build of Camel Spring Boot is now supported on IBM Power and IBM Z.
1.4.2. Support for EIP circuit breaker
The Circuit Breaker EIP for Camel Spring Boot supports Resilience4j configuration. This configuration provides integration with Resilience4j to be used as Circuit Breaker in Camel routes.
1.4.3. Support for Stateful transactions
The Red Hat build of Camel Example Spring Boot provides a Camel Spring Boot JTA quickstart. This quickstart demonstrates how to run a Camel Service on Spring Boot that supports JTA transactions on two external transactional resources: a database (MySQL) and a message broker (Artemis). These external resources are provided by OpenShift which must be started before running this quickstart.
1.5. Fixed issues for Red Hat build of Apache Camel for Spring Boot
The following sections list the issues that have been resolved in Red Hat build of Apache Camel for Spring Boot.
- Section 1.5.1, “Red Hat build of Apache Camel for Spring Boot version 4.4.4 fixed issues”
- Section 1.5.2, “Red Hat build of Apache Camel for Spring Boot version 4.4.3 fixed issues”
- Section 1.5.3, “Red Hat build of Apache Camel for Spring Boot version 4.4.2 fixed issues”
- Section 1.5.4, “Red Hat build of Apache Camel for Spring Boot version 4.4.1 fixed issues”
- Section 1.5.5, “Red Hat build of Apache Camel for Spring Boot version 4.4.0 Enhancements”
- Section 1.5.6, “Red Hat build of Apache Camel for Spring Boot version 4.4.0 fixed issues”
1.5.1. Red Hat build of Apache Camel for Spring Boot version 4.4.4 fixed issues
The following sections list the issues that have been resolved in Red Hat build of Apache Camel for Spring Boot version 4.4.4.
| Issue | Description |
|---|---|
| CVE-2024-51132 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2: arbitrary code execution via specially-crafted request | |
| CVE-2024-51132 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: arbitrary code execution via specially-crafted request | |
| CVE-2024-51132 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: arbitrary code execution via specially-crafted request | |
| CVE-2024-51132 ca.uhn.hapi.fhir/org.hl7.fhir.r4: arbitrary code execution via specially-crafted request | |
| CVE-2024-51132 ca.uhn.hapi.fhir/org.hl7.fhir.r5: arbitrary code execution via specially-crafted request | |
| CVE-2024-51132 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: arbitrary code execution via specially-crafted request | |
|
CVE-2024-52007 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT parsing in | |
|
CVE-2024-52007 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT parsing in | |
|
CVE-2024-52007 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT parsing in | |
|
CVE-2024-52007 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT parsing in | |
|
CVE-2024-52007 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT parsing in | |
| Upgrade to Spring Boot 3.2.11 |
1.5.2. Red Hat build of Apache Camel for Spring Boot version 4.4.3 fixed issues
The following sections list the issues that have been resolved in Red Hat build of Apache Camel for Spring Boot version 4.4.3.
| Issue | Description |
|---|---|
| Define Agroal version in CSB platform BOM | |
| [CAMEL-20790]kafka batching consumer polls randomly failing with NPE under load | |
| CVE-2023-52428 com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service | |
|
CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in | |
|
CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in | |
|
CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in | |
|
CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in | |
|
CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in | |
| CVE-2024-38816 org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource | |
| Camel route coverage is not working after upgrading Camel from 4.0 to 4.4 | |
| CVE-2024-7254 protobuf: StackOverflow vulnerability in Protocol Buffers | |
| camel-cics: the protocol option has been hardcoded in the CICSConfiguration class | |
| CVE-2024-38809 org.springframework/spring-web: Spring Framework DoS via conditional HTTP request | |
| Excessing locking in camel jaxb under load | |
| CVE-2021-44549 org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication | |
| CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE) | |
| Address CXF Async Calls with OpenTelemetry |
1.5.3. Red Hat build of Apache Camel for Spring Boot version 4.4.2 fixed issues
The following sections list the issues that have been resolved in Red Hat build of Apache Camel for Spring Boot version 4.4.2.
| Issue | Description |
|---|---|
| CVE-2024-41172 org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients | |
| OOM using RecipientList | |
| CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage | |
| CVE-2024-38808 org.springframework/spring-expression: From NVD collector | |
| Upgrade CSB 4.4.x to Spring Boot 3.2.9 | |
| artemis-quorum-api was removed in artemis 2.33+ in favor of artemis-lockmanager | |
| azure-servicebus: FQNS not set correctly when credentialType is AZURE_IDENTITY | |
| camel-xslt - All exchange properties should be avaiable | |
| REST OpenApi fails to resolve host from the URL | |
| Camel-Hashicorp-Vault: Get Secret operation doesn’t take into account the secretPath configuration parameter |
1.5.4. Red Hat build of Apache Camel for Spring Boot version 4.4.1 fixed issues
The following sections list the issues that have been resolved in Red Hat build of Apache Camel for Spring Boot version 4.4.1.
| Issue | Description |
|---|---|
| [CSB Examples] - javax dependency requested for camel-jira example | |
| Camel AWS Kinesis: support checkpoint | |
| CVE-2022-41678 activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE | |
| The camel-spring-boot-bom still references upstream Artemis client libraries and cause error if mixed use them | |
| CVE-2023-51079 mvel: TimeOut error when calling ParseTools.subCompileExpression() function | |
| CVE-2024-1023 vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx | |
| CVE-2024-1300 vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support | |
| CVE-2024-22201 jetty: stop accepting new connections from valid clients | |
| CVE-2024-1597 pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE | |
| CVE-2024-1597 pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE | |
| CVE-2024-22257 spring-security: Broken Access Control With Direct Use of AuthenticatedVoter | |
| CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling | |
| CVE-2024-23081 threetenbp: null pointer exception | |
| Saxon library used by camel-saxon wrongly transform xml node | |
| Include jackson-bom in the list of artifacts that we are overriding in platform bom | |
| CVE-2024-30171 org.bouncycastle-bcprov-jdk18on: bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack) | |
| Bug on Camel documentation on "Setting up SSL for HTTP Client" | |
| camel-jbang - generated pom.xml with "--camel-spring-boot-version" option includes garbage characters | |
| XPath conversions failing in CSB 4.4 | |
| [camel-cics] reset message body when CICS transaction failed | |
| failed route should be visible in spring-boot actuator/camelroutes | |
| Generated pom.xml file by camel-jbang export command is not suitable for Red Hat products | |
| camel export command with "camel-spring-boot-version" option does not work | |
| Unexpected change of behavior on method Message.getBody(Class) | |
| CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket | |
| request-reply over JMS example should use replyToConcurrentConsumers instead of concurrentConsumers | |
| CVE-2024-30172 org.bouncycastle:bcprov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class | |
| CVE-2024-29857 org.bouncycastle:bcprov-jdk18on: org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service | |
| CVE-2024-6162 undertow: url-encoded request path information can be broken on ajp-listener | |
| Missing Jackson Jakarta RS XML provider from Maven repository | |
| CAMEL-20921 - Route configuration is not loaded on a Camel application XML file | |
| Upgrade to boucy castle 1.78 break camel-crypto | |
| Unsupported components show 4.4.0-SNAPSHOT version |
1.5.5. Red Hat build of Apache Camel for Spring Boot version 4.4.0 Enhancements
The following sections list the issues that have been resolved in Red Hat build of Apache Camel for Spring Boot version 4.4.0.
| Issue | Description |
|---|---|
| Support Hawtio console for Camel for Spring Boot | |
| camel-olingo4 support | |
| Adding a Kafka Batch Consumer | |
| [RFE] Support component camel-smb | |
| Enhancing XML IO DSL to support beans like in YAML DSL | |
| Camel for Spring Boot support for IBM Z/P | |
| Provide support to configure algorithm for camel-ssh component | |
| Add support for camel-flink | |
| Add Azure SAS support for azure blob storage | |
| Create and support a new Camel CICS component | |
| Support component camel-splunk | |
| Offline Maven Builder Script | |
| Support component camel-jasypt | |
| Support component camel-kudu | |
| Support cxf-integration-tracing-opentelemetry | |
| Support component camel-groovy | |
| BeanIO support | |
| camel-cics - support connectivity via channels |
1.5.6. Red Hat build of Apache Camel for Spring Boot version 4.4.0 fixed issues
| Issue | Description |
|---|---|
| CVE-2023-35116 jackson-databind: denial of service via cylic dependencies | |
| CVE-2023-2976 guava: insecure temporary directory creation | |
| AWS SQS component, OCP probes cause POD error | |
| [Micrometer Observability] Unable to see trace id and span id in MDC | |
| Please provide examples that show Camel AMQP/JMS used with a connection pool | |
| CVE-2023-5632 mosquitto: Possible Denial of Service due to excessive CPE consumption | |
| [camel-mail] java.lang.ClassNotFoundException: org.eclipse.angus.mail.imap.IMAPStore | |
| Dependency convergence error for org.ow2.asm:asm when using CXF and JSON Path | |
| Dependency convergence error for org.bouncycastle:bcprov-jdk18on:jar:1.72 | |
| Add support for findAndModify Operation | |
| CVE-2023-51074 json-path: stack-based buffer overflow in Criteria.parse method | |
| Support cxf-integration-tracing-opentelemetry | |
| CVE-2024-21733 tomcat: Leaking of unrelated request bodies in default error page | |
| camel-bean - Allow to configure bean introspection cache on component | |
| Dependency convergence errors when using cxf-rt-rs-service-description-openapi-v3:4.0.2.fuse-redhat-00046 and camel-openapi-java-starter:4.0.0.redhat-00039 | |
| CVE-2023-45860 Hazelcast: Permission checking in CSV File Source connector | |
| AMQP publisher application is losing messages with local JMS transaction enabled | |
| CVE-2024-26308 commons-compress: OutOfMemoryError unpacking broken Pack200 file | |
| commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file [rhint-camel-spring-boot-4] | |
| restConfiguration section is ignored when using XML DSL IO | |
| Issue while marshalling/ummarshalling XML to JSON. | |
| CVE-2023-5685 xnio: StackOverflowException when the chain of notifier states becomes problematically big | |
| onException handler does not set content in the body response when used with servlet/platform-http | |
| [Camel-sap] Unable to connect to SAP server through CSB configuration properties | |
| camel-file - Can ant filter be optimized when using min/max depth with orphan marker file check | |
| NPE occurs If user uses OpenTelemetryTracingStrategy and opentelemetry.exclude-patterns to exclude "direct*" | |
| OpenTelemetryTracingStrategy separates a trace into 2 branches with opentelemetry.exclude-patterns "process*" or "bean*" | |
| Request to offer connection pooling in camel-cics | |
| Put a max default configurable limit on the Jose P2C parameter & Only explicitly return the stylesheet in WadlGenerator and not other URLs | |
| Type Conversion Error from byte[] to Long in Camel 4 from Kafka Topic for JMS* headers | |
| camel-salesforce - startup error | |
| CVE-2024-22262 springframework: URL Parsing with Host Validation |
1.6. Known issues for Red Hat build of Apache Camel for Spring Boot
The following sections list known issues for Red Hat build of Apache Camel for Spring Boot.
1.6.1. Red Hat build of Apache Camel for Spring Boot version 4.4 known issues
- CSB-4318 Fail to deploy on OCP using Openshift Maven Plugin if spring.boot.actuator.autoconfigure is not in the dependencies
Jkube maven plugin uses the following condition to check if the application exposes health endpoint (using
SpringBootHealthCheckEnricher). Both classes are in the classpath:-
org.springframework.boot.actuate.health.HealthIndicator -
org.springframework.web.context.support.GenericWebApplicationContext
-
However, the /actuator/health wil be not exposed without the configuration of the actuator. This creates discordance between the readiness/liveness probes configured by JKube (they both uses the above endpoint) and what the application is exposing.
This misconfiguration causes a failing deployment config on OpenShift Container Platform since the generated pod will never be in Ready status since the probe`s call for an endpoint is not configured. So in order to make the application work on OpenShift Container Platform, which is deployed using JKube (openshift-maven-plugin), it is necessary to have both web and actuator autoconfiguration in the dependencies.
Following example shows how to configure web and actuator autoconfiguration.
Example
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency>
Update the archetype as shown below. The applications built from the following archetype will be deployed correctly using JKube.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>This issue affects the custom applications with missing one of the above dependencies.
