Hello everyone, We just released jmx_exporter 0.17.2 <https://github.com/prometheus/jmx_exporter/releases/tag/parent-0.17.2>.
This is a minor release updating the snakeyaml dependency from 1.31 to 1.32, because version 1.31 is vulnerable to CVE-2022-38752 <https://nvd.nist.gov/vuln/detail/CVE-2022-38752>. Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help. As always, the jmx_exporter binaries are available on Maven central: - jmx_prometheus_javaagent-0.17.2.jar <https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar> requires Java >= 7. - jmx_prometheus_javaagent-0.17.2_java6.jar <https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent_java6/0.17.2/jmx_prometheus_javaagent_java6-0.17.2.jar> is compatible with Java 6. - jmx_prometheus_httpserver-0.17.2.jar <https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_httpserver/0.17.2/jmx_prometheus_httpserver-0.17.2.jar> requires Java >= 7. - jmx_prometheus_httpserver-0.17.2_java6.jar <https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_httpserver_java6/0.17.2/jmx_prometheus_httpserver_java6-0.17.2.jar> is compatible with Java 6. Sounds like a deja vu? Yes, we had the same on 10 September when we updated snakeyaml from 1.30 to 1.31 because of CVE-2022-25857 <https://nvd.nist.gov/vuln/detail/CVE-2022-25857>. Fabian -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/e022b525-089f-4c53-aa3e-9c7328b030abn%40googlegroups.com.
