Help Center

Menu

Funnelback patch 15.20.0.38

  • Released: 2021-12-21

  • Applies to: v15.20.0

  • Internal reference: RNDSUPPORT-3466

Description

  • Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

Affected files

  • lib/java/all/admin-api-client-swagger-generated.jar

  • lib/java/all/cortex-common.jar

  • lib/java/all/cortex-data-importer.jar

  • lib/java/all/cortex-funnelback-integration.jar

  • lib/java/all/funnelback-analytics.jar

  • lib/java/all/funnelback-api-client-core.jar

  • lib/java/all/funnelback-collection-update.jar

  • lib/java/all/funnelback-common.jar

  • lib/java/all/funnelback-crawler-http-client.jar

  • lib/java/all/funnelback-crawler.jar

  • lib/java/all/funnelback-daemon.jar

  • lib/java/all/funnelback-data-api-connector-padre.jar

  • lib/java/all/funnelback-data-api-connector-padre-query-parser.jar

  • lib/java/all/funnelback-dbgather.jar

  • lib/java/all/funnelback-directory-gather.jar

  • lib/java/all/funnelback-filecopier.jar

  • lib/java/all/funnelback-filter.jar

  • lib/java/all/funnelback-mediator-core.jar

  • lib/java/all/funnelback-mediator-endpoint-cli.jar

  • lib/java/all/funnelback-push-api-client.jar

  • lib/java/all/funnelback-push-core.jar

  • lib/java/all/funnelback-reporting-api-client.jar

  • lib/java/all/funnelback-reporting.jar

  • lib/java/all/funnelback-slack-datasource-export-processor.jar

  • lib/java/all/funnelback-social-media.jar

  • lib/java/all/funnelback-springmvc-common.jar

  • lib/java/all/funnelback-store.jar

  • lib/java/all/funnelback-warc-library.jar

  • lib/java/all/funnelback-wca-api-client.jar

  • lib/java/all/funnelback-wca-checker.jar

  • lib/java/all/log4j-1.2-api-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-1.2-api-2.17.0.jar

  • lib/java/all/log4j-api-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-api-2.17.0.jar

  • lib/java/all/log4j-core-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-core-2.17.0.jar

  • lib/java/all/log4j-iostreams-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-iostreams-2.17.0.jar

  • lib/java/all/log4j-jcl-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-jcl-2.17.0.jar

  • lib/java/all/log4j-jul-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-jul-2.17.0.jar

  • lib/java/all/log4j-slf4j-impl-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-slf4j-impl-2.17.0.jar

  • lib/java/all/log4j-web-2.15.0.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-web-2.17.0.jar

  • lib/java/all/publicui-core.jar

  • lib/java/all/publicui-form-converter.jar

  • tools/manifoldcf-funnelback-connector.zip

  • web/server/funnelback-jetty-launcher.jar

  • web/webapps/cortex-rest-api.war

  • web/webapps/funnelback-admin-api.war

  • web/webapps/funnelback-classic-admin.war

  • web/webapps/funnelback-mediator-endpoint-http.war

  • web/webapps/funnelback-publicui.war

  • web/webapps/funnelback-push-api.war

  • web/webapps/funnelback-redirector.war

Deployment

  • (Windows) Stop any tuning runs that are in progress.

  • Stop the Jetty web server.

  • Stop the Daemon service.

  • Deploy the provided files on top of an existing install.

  • (15.20.0.33) If delete-collection.pl will be used from the command line, update its #! line to refer to the correct perl interpreter by matching it to the other *.pl scripts in the same directory.

  • (15.20.0.2) Run $SEARCH_HOME/bin/setup/start_funnelback_on_boot.pl - Please note that this will cause Funnelback services to be restarted.

  • (15.20.0.2) On unix only, run chown -R search:search $SEARCH_HOME/databases/neo4j/ $SEARCH_HOME/log/neo4j as root to fix file ownership replacing search with your funnelback user’s username if you used a different one.

  • (15.20.0.22) Run $SEARCH_HOME/bin/setup/start_funnelback_on_boot.pl to regenerate service files from the templates. Please note that this will cause each Funnelback service to be restarted.

  • (15.20.0.22) Reboot the Funnelback server to ensure systemd picks up the changes to the service files

  • (15.20.0.2) Restart the Funnelback server to ensure any prior funnelback-graph service is terminated.

  • (15.20.0.37) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.6.2.jar, lib/java/all/log4j-api-2.6.2.jar, lib/java/all/log4j-core-2.6.2.jar, lib/java/all/log4j-iostreams-2.6.2.jar, lib/java/all/log4j-jcl-2.6.2.jar, lib/java/all/log4j-jul-2.6.2.jar, lib/java/all/log4j-slf4j-impl-2.6.2.jar, lib/java/all/log4j-web-2.6.2.jar.

  • (15.20.0.38) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.15.0.jar, lib/java/all/log4j-api-2.15.0.jar, lib/java/all/log4j-core-2.15.0.jar, lib/java/all/log4j-iostreams-2.15.0.jar, lib/java/all/log4j-jcl-2.15.0.jar, lib/java/all/log4j-jul-2.15.0.jar, lib/java/all/log4j-slf4j-impl-2.15.0.jar, lib/java/all/log4j-web-2.15.0.jar.

  • Start the Jetty web server

  • Start the Daemon service.

  • (15.20.0.3) Perform an update of knowledge graph on any applicable collections to ensure "mention" relationships that reference themselves are removed.

  • (15.20.0.7) As wcag was deprecated in version 15.12 it is recommended to switch to using its replacement by editing collection.cfg to have 'wcag.check=false', remove FAChecker from 'filter.classes=' and set 'accessibility-auditor.check=true'. The wcag check may be completely removed from future versions.

  • Start the Jetty web server if the server was not restarted.