Axon Framework - Release 4.5.4

As of today (first of October), we have released Axon Framework 4.5.4.
For any users out there, it is recommended to upgrade to this release due to CVE’s spotted within XStream. By the way, here are the release notes:

  • First and foremost, we updated the XStream version to 1.4.18. This upgrade was a requirement since several CVE’s were noted for XStream version 1.4.17.
    As a consequence of XStream’s solution imposed through the CVE’s, everybody is required to specify the security context of an XStream instance.
    This change also has an impact on Axon Framework since the XStreamSerializer is the default serializer.
    So as of this release, any usages of the default XStreamSerializer will come with warnings, stating it is highly recommended to use an XStream instance for which the security context is set through types or wildcards.
    When your application uses Spring Boot, Axon will default to selecting the secured types based on your @ComponentScan annotated beans (e.g., like the @SpringBootApplication annotation).
    For those interested in the details of the solution, check out this pull request.

  • User ‘nils-christian’ noted in issue #1892 that Axon executed Upcaster beans in a Spring environment in the incorrect order.
    This ordering issue was due to a misconception in deducing the @Order annotation on upcaster beans.
    We resolved the problem in pull request #1895.

  • We noticed a TokenStore operation that Axon did not invoke within a transaction.
    In most scenarios, this worked out, but when using Micronaut, for example, this (correctly) caused an exception.
    After spotting the issue, we resolved it in this pull request.

To tackle the XStream problem yourself, you’d thus need to configure your own XStream instance.
If you are using Axon’s Configurer, you can simply register the XStream instance with the XStreamSerializer builder. In a Spring Boot environment, you can provide a bean of type XStream; Axon Framework will pick it up automatically. Providing a secured XStream instance could look like this for example:

public XStream mySecuredXStream() {
    XStream xStream = new XStream();
    xStream.allowTypesByWildcard(new String[]{"{your-package-name}.**"});
    return xStream;

XStream also provides a couple of other operations to secure it, like allowTypeHierarchy(Class<?>) or allowTypes(Class[]).

For an exhaustive list of all the changes, check out the 4.5.4 release notes.