jmx_exporter

This release has functional issues and should not be used.

This release includes performance enhancements and new MBean attribute filtering.

As always, the jmx_exporter binaries are available on Maven Central:

• jmx_prometheus_javaagent-0.20.0.jar
• jmx_prometheus_httpserver-0.20.0.jar

[FEATURE] Added HTTPServer threads configuration (https://github.com/prometheus/jmx_exporter/pull/837)
[FEATURE] Refactored outdated terms (https://github.com/prometheus/jmx_exporter/pull/852)
[FEATURE] Added code to skip RuntimeMXBean attributes SystemProperties, ClassPath, BootClassPath, and LibraryPath (https://github.com/prometheus/jmx_exporter/pull/859)
[FEATURE] Added MBean attribute exclusion filtering (https://github.com/prometheus/jmx_exporter/pull/870)
[FEATURE] Enabled auto object name attribute filtering by default (https://github.com/prometheus/jmx_exporter/pull/871)

This release adds the long awaited support for HTTPS and Basic auth! See README.md for details.

BREAKING: We dropped Java 6 support. jmx_exporter now requires Java 8 or higher.

As always, the jmx_exporter binaries are available on Maven central:

• jmx_prometheus_javaagent-0.19.0.jar
• jmx_prometheus_httpserver-0.19.0.jar

[BREAKING] Removed support for Java 6. New baseline is Java 8
[ENHANCEMENT] HTTP Basic authentication (https://github.com/prometheus/jmx_exporter/pull/801)
[ENHANCEMENT] HTTPS support (https://github.com/prometheus/jmx_exporter/pull/812)
[ENHANCEMENT] Add support for JMX TabularData that uses a CompositeData key (https://github.com/prometheus/jmx_exporter/pull/814) Thanks @adamretter!!!
[ENHANCEMENT] MetricsAssertion support for multiple labels (https://github.com/prometheus/jmx_exporter/pull/815)

This release updates the snakeyaml dependency from 1.32 to 2.0, because version 1.32 is vulnerable to CVE-2022-1471.

Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.

As always, the jmx_exporter binaries are available on Maven central:

• jmx_prometheus_javaagent-0.18.0.jar requires Java >= 7.
• jmx_prometheus_javaagent-0.18.0_java6.jar is compatible with Java 6.
• jmx_prometheus_httpserver-0.18.0.jar requires Java >= 7.
• jmx_prometheus_httpserver-0.18.0_java6.jar is compatible with Java 6.

Fixes and enhancements included in this release:

[BUGFIX] Fix jmx_exporter_build_info metric #768. Thanks @dhoard.
[BUGFIX] Fix the Debian package build #752, #650. Thanks @ozon2 and @Skunnyk.
[ENHANCEMENT] Improve performance of duplicate sample lookup #719. Thanks @amuraru.
[BUGFIX] Bump Snakeyaml dependency version to 2.0 to fix CVE-2022-1471 #777, #767. Thanks @dhoard and @ppatierno.

Minor release updating the snakeyaml dependency from 1.31 to 1.32, because version 1.31 is vulnerable to CVE-2022-38752.

Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.

As always, the jmx_exporter binaries are available on Maven central:

• jmx_prometheus_javaagent-0.17.2.jar requires Java >= 7.
• jmx_prometheus_javaagent-0.17.2_java6.jar is compatible with Java 6.
• jmx_prometheus_httpserver-0.17.2.jar requires Java >= 7.
• jmx_prometheus_httpserver-0.17.2_java6.jar is compatible with Java 6.

Sounds like a deja vu? Yes, we had the same on 10 September when we updated snakeyaml from 1.30 to 1.31 because of CVE-2022-25857.

Minor release updating the snakeyaml dependency from 1.30 to 1.31, because version 1.30 is vulnerable to CVE-2022-25857.

Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.

As always, the jmx_exporter binaries are available on Maven central:

• jmx_prometheus_javaagent-0.17.1.jar requires Java >= 7.
• jmx_prometheus_javaagent-0.17.1_java6.jar is compatible with Java 6.
• jmx_prometheus_httpserver-0.17.1.jar requires Java >= 7.
• jmx_prometheus_httpserver-0.17.1_java6.jar is compatible with Java 6.

With the last release we started releasing two versions of the Java agent:

• jmx_prometheus_javaagent-0.17.0.jar requires Java >= 7.
• jmx_prometheus_javaagent-0.17.0_java6.jar is compatible with Java 6.

Both versions are built from the same code and differ only in the versions of the bundled dependencies.

With this release, we take a similar approach for the standalone HTTP server:

• jmx_prometheus_httpserver-0.17.0.jar requires Java >= 7.
• jmx_prometheus_httpserver-0.17.0_java6.jar is compatible with Java 6.

Again, both versions are built from the same code and differ only in the versions of the bundled dependencies.

Note that the standalone HTTP server release was previously named jmx_prometheus_httpserver-<version>-jar-with-dependencies.jar. With this release, we renamed it to jmx_prometheus_httpserver-<version>.jar.

Other changes:

• [BUGFIX] change the command line argument parser to allow - characters in the hostname (#643, thanks @guignome for reporting).
• [BUGFIX] Reduce cardinality of default help strings (#704, thanks @SuperQ).
• [ENHANCEMENT] Prevent remote JMX monitoring when started as a Java agent #675.
• [ENHANCEMENT] Add SSL support for the debugging SslScraper (#699, thanks @michaelsembwever)
• [ENHANCEMENT] Fall back to loading attributes 1-by-1 if bulk loading fails (#695, thanks @faenschi).
• [ENHANCEMENT] update dependency versions.

Release 0.16.1 ships in two versions:

• jmx_prometheus_javaagent-0.16.1.jar requires Java >= 7.
• jmx_prometheus_javaagent-0.16.1_java6.jar is compatible with Java 6.

Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency. See the 0.16.0 release notes for more details.

Change:

[BUGFIX] Remove misleading meta data from the Java 7+ binary that makes the Trivy security scanner wrongly report CVE-2017-18640 (the metadata references snakeyaml 1.23 even though that version is not included in the binary). See #618.

Update SnakeYAML Dependency Version (#592)

Starting with version 0.16.0, the Java agent is released in two versions:

• jmx_prometheus_javaagent-0.16.0.jar requires Java >= 7.
• jmx_prometheus_javaagent-0.16.0_java6.jar is compatible with Java 6.

Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency.

jmx_exporter uses the snakeyaml library to read the YAML configuration file. Snakeyaml 1.23 is the last release to support Java 6. This version is affected by CVE-2017-18640, which can cause snakeyaml to execute arbitrary code if the YAML file comes from an untrusted source.

This vulnerability does not apply in the context of jmx_exporter, because the agent configuration will not come from an untrusted source. However, even if there is no actual security risk, users find it annoying that their automated security scans report a CVE. In order to prevent this we published a version with an updated snakeyaml dependency that requires Java >= 7.

Other Changes

• [BUGFIX] Leverages the interpolated help when the matching rule is cached (fixes #612) (#613)
• [ENHANCEMENT] Automated integration tests of different Java versions using Testcontainers. Docker needs to be installed on a system in order to run ./mvnw verify.
• [ENHANCEMENT] Bump logback-classic version (#617)
• [ENHANCEMENT] Update to client_java 0.11.0
• [ENHANCEMENT] added support for java.util.Optional (the SonarQube maintainers had this weird idea of an Optional<Long> property in an MBean)

[CHANGE/ENHANCEMENT] Update to client_java 0.10.0 to add OpenMetrics support. Any COUNTER type samples will have _total added as a suffix if it isn't already present. If you do not want this, use the default type of UNKNOWN. (#321)
[ENHANCEMENT] Added a safety check to deal with incorrect implementations of javax.management.Attribute (#542)

[FEATURE] Allow caching regular expression matching in rules (#518)

[FEATURE] Added support for jmx attributes of type java.util.Date (#449)
[ENHANCEMENT] Include error message with exception when the agent fails to start. (#399)
[ENHANCEMENT] Allow specifying IPv6 address to bind to (#450)
[ENHANCEMENT] Bump client_java to 0.9.0, including adding /-/healthy (#495)
[BUGFIX] Handle NullPointerException for getAttributes (#444)

[ENHANCEMENT] Update version for simpleclient_httpserver to 0.6.0 (#380)
[BUGFIX] Fix handling of Windows paths in -javaagent config arguments (#371)
[BUGFIX] Stricter safename (#382)

[ENHANCEMENT] Add jmx_exporter_build_info metric (#279)
[ENHANCEMENT] Make the agent attachable to a running VM (#280)
[BUGFIX/ENHANCEMENT] Update client java to 0.6.0 (#350)
[BUGFIX] safeName: handle numeric label case (#335)
[BUGFIX] Handle nested tabular data. (#348)

[BUGFIX] Avoid a stack overflow with long property lists
[BUGFIX] Fix null pointer exception when racing with an item being removed from a CompositeData

[ENHANCEMENT] Various performance improvements
[ENHANCEMENT] Upgraded to simpleclient 0.3.0

[FEATURE] Support the agent binding to specific IPv6 addresses

[BUGFIX] Prevent hanging on JVM exit for java agent
[BUGFIX] Correct anchoring on regex

[ENCHANCEMENT] Switch to HttpServer from jetty, resolving issues on machines with many cores
[ENCHANCEMENT] Update to client_java 0.0.26
[FEATURE] Add optional startup delay, for buggy mBeans that break if called during initilisation
[FEATURE] Added optional logs for call times, useful for finding slow mBeans
[BUGFIX] Allow auth to work on test scraper
[BUGFIX] UNTYPED as default type, and actually use user configured type

[ENCHANCEMENT] Update all poms to client_java 0.0.21
[BUGFIX] Limit number of jetty acceptors in the agent, to prevent issues on machines with large numbers of cpus