As of today (first of October), we have released Axon Framework 4.5.4.
For any users out there, it is recommended to upgrade to this release due to CVE’s spotted within XStream. By the way, here are the release notes:
-
First and foremost, we updated the XStream version to 1.4.18. This upgrade was a requirement since several CVE’s were noted for XStream version 1.4.17.
As a consequence of XStream’s solution imposed through the CVE’s, everybody is required to specify the security context of anXStream
instance.
This change also has an impact on Axon Framework since theXStreamSerializer
is the default serializer.
So as of this release, any usages of the defaultXStreamSerializer
will come with warnings, stating it is highly recommended to use anXStream
instance for which the security context is set through types or wildcards.
When your application uses Spring Boot, Axon will default to selecting the secured types based on your@ComponentScan
annotated beans (e.g., like the@SpringBootApplication
annotation).
For those interested in the details of the solution, check out this pull request. -
User ‘nils-christian’ noted in issue #1892 that Axon executed Upcaster beans in a Spring environment in the incorrect order.
This ordering issue was due to a misconception in deducing the@Order
annotation on upcaster beans.
We resolved the problem in pull request #1895. -
We noticed a
TokenStore
operation that Axon did not invoke within a transaction.
In most scenarios, this worked out, but when using Micronaut, for example, this (correctly) caused an exception.
After spotting the issue, we resolved it in this pull request.
To tackle the XStream
problem yourself, you’d thus need to configure your own XStream
instance.
If you are using Axon’s Configurer
, you can simply register the XStream
instance with the XStreamSerializer
builder. In a Spring Boot environment, you can provide a bean of type XStream
; Axon Framework will pick it up automatically. Providing a secured XStream
instance could look like this for example:
public XStream mySecuredXStream() {
XStream xStream = new XStream();
xStream.allowTypesByWildcard(new String[]{"{your-package-name}.**"});
return xStream;
}
XStream
also provides a couple of other operations to secure it, like allowTypeHierarchy(Class<?>)
or allowTypes(Class[])
.
For an exhaustive list of all the changes, check out the 4.5.4 release notes.