Funnelback patch 15.18.0.17

  • Released: 2019-09-24

  • Applies to: v15.18.0

  • Internal reference: RNDSUPPORT-3041

Description

  • Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates escaped using output formats by inserting zero-width whitespace between consecutive open-curly-brackets.

Affected files

  • web/webapps/funnelback-publicui.war

Deployment

  • (Windows) Stop any tuning runs that are in progress

  • Stop the Jetty web server

  • Deploy the provided files on top of an existing install.

  • (15.18.0.8) Run $SEARCH_HOME/bin/setup/start_funnelback_on_boot.pl - Please note that this will cause Funnelback services to be restarted.

  • (15.18.0.8) On unix only, run chown -R search $SEARCH_HOME/databases/neo4j/ $SEARCH_HOME/log/neo4j as root to fix file ownership replacing search with your funnelback user’s username if you used a different one.

  • (15.18.0.8) Restart the Funnelback server to ensure any prior funnelback-graph service is terminated.

  • Start the Jetty web server, if you do not restart the Funnelback server.