Breadcrumbs

CUCM Connector Release Notes - Security Remediation Update

Security release: This update remediates multiple dependency, container, and build-environment vulnerabilities in the CUCM Connector. Total CVEs resolved: 18.

This release focuses on hardening the CUCM Connector by upgrading vulnerable libraries, modernizing the runtime and build stack to Java 11, and removing or patching insecure container components.

Release Summary

  • Files changed: .gitlab-ci.yml, docker/Dockerfile, pom.xml and internal code chnages to fix sonar code quality checks

  • Primary outcome: Security vulnerabilities fixed across application dependencies, Docker image contents, and CI/CD build images

Highlights

Dependency Security
Upgraded key Maven dependencies to remediate known CVEs and advisories.

Container Hardening
Updated the base image, patched OS packages, and removed a vulnerable static binary.

Platform Modernization
Standardized application, Docker, and pipeline builds on Java 11.

Security Fixes

Application Dependency Upgrades

The following libraries were updated in pom.xml to address known security issues and reduce exposure from outdated components.

Dependency

From

To

Issue(s) Resolved

activemq-all

5.16.7

5.19.6

CVE-2025-27533, CVE-2026-34197, CVE-2026-39304, CVE-2026-40466, CVE-2026-41044, CVE-2026-33227, CVE-2026-41043, CVE-2025-66168

log4j-core

2.17.2

2.25.4

CVE-2025-68161, CVE-2026-34477, CVE-2026-34480

commons-lang3

3.5

3.18.0

CVE-2025-48924

jackson-databind

2.15.4

2.18.6

GHSA-72hv-8253-57qq

org.json:json

20220320

20231013

CVE-2022-45688, CVE-2023-5072

okhttp

3.5.0

Removed

CVE-2021-0341; dependency was unused and has been eliminated from the build

Why this matters: Most of the resolved findings originated from outdated transitive or direct dependencies. Updating them closes known attack paths while keeping the connector aligned with currently supported library versions.

Docker Image Hardening

The container image was updated in docker/Dockerfile to reduce operating system and bundled binary risk.

Change

Security Impact

Result

Base image upgraded from eclipse-temurin:8-jdk to eclipse-temurin:11-jdk

Moves the runtime to a newer, better-supported JDK baseline

Reduces exposure from older Java 8-based container images

apt-get upgrade added during image build

Patches vulnerable Ubuntu base packages including low-level system libraries such as gnutls and glibc

Addresses multiple base OS CVEs

Removed /usr/bin/pebble static binary

Eliminates a vulnerable binary from the image

Fixes CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499

Container result: The runtime image now has a cleaner security posture, a newer Java base, and fewer packaged attack surfaces.

Infrastructure and Build Changes

Java 11 Upgrade

As part of this remediation effort, the connector build and runtime were upgraded from Java 8 to Java 11 across all relevant layers.

  • pom.xml: Compiler source/target changed from 1.8 to 11

  • docker/Dockerfile: Runtime base image updated from Java 8 JDK to Java 11 JDK

  • .gitlab-ci.yml: All 7 pipeline stages now use maven:3.9.4-eclipse-temurin-11 instead of maven:3.9.4-eclipse-temurin-8

The following pipeline stages were updated: validate, compile, test, format, artifacts, build, and tag.

Compatibility note: Because both the build and runtime now target Java 11, deployments and downstream integrations must use a Java 11-compatible environment.

Additional Build and Runtime Adjustments

  • Added log4j-1.2-api 2.25.4 bridge: Required because activemq 5.19.x no longer bundles Log4j 1.x support

  • Updated Docker CMD syntax: Changed from shell form to exec form using CMD ["java", "-jar", "jc.jar"], resolving docker linting rule S7019 and improving signal handling/container behavior

Resolved Vulnerability Coverage

This release resolves security findings across the following areas:

  • Messaging: activemq-all

  • Logging: log4j-core and Log4j compatibility bridge alignment

  • Utility libraries: commons-lang3

  • Data binding / JSON parsing: jackson-databind, org.json

  • Networking: removal of unused okhttp

  • Container image: base OS packages and removal of vulnerable pebble binary

Total CVEs resolved: 18

activemq

log4j

commons-lang3

jackson

org.json

okhttp

pebble

Operational Impact

  • No feature changes are introduced in this release; the focus is security and platform alignment

  • Build agents, local developer environments, and runtime containers should use Java 11

Implementation scope

The remediation spans three files only: pom.xml for dependency and compiler updates, docker/Dockerfile for runtime image hardening, and .gitlab-ci.yml for Java 11 pipeline alignment.

Risk summary

The primary rollout consideration is Java 11 compatibility. Functionally, the changes are low risk and centered on library upgrades, removal of an unused dependency, and image hardening. The most important post-release checks are startup validation, messaging behavior, and logging compatibility.