Funnelback 15.22 patches

Patches

Type Release version Description

3 Bug fixes

Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965]

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

3 Bug fixes

Upgrades log4j2 to version 2.15 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Fixes a cross-site scripting vulnerability in Freemarker templates.

3 Bug fixes

Reduces memory usage when returning search results as XML.

3 Bug fixes

Fixes an issue where sessions are not terminated on logout events triggered by perl pages.

3 Bug fixes

Fixes an XXE issue where input to the webdav endpoint could be manipulated to trigger http requests.

3 Bug fixes

Fixes admin-ui handling of profiles with hyphens in their IDs.

3 Bug fixes

Fixes an issue where Faceted Navigation extra searches may fail because of an index out of bounds error.

3 Bug fixes

Improves logging when extra searches take too long.

3 Bug fixes

Fixes an issue where marketing dashboard refers a non-existing URL when ui.integration_url is not configurable at the profile level.

3 Bug fixes

Fixes a NullPointerException in ViewModeBanner macro when SAML is enabled

3 Bug fixes

Fixes ip pseudonymization when Funnelback is behind a load balancer and client ip details are in the x-forwarded-for header.

3 Bug fixes

Reduces memory consumption and improves performance of the purge sessions endpoint

3 Bug fixes

Upgrades the version of RestFB library to account for recent breaking changes in the Facebook Graph API.

3 Bug fixes

Fixes an issue where Facebook collections gathered less number of documents due to a pagination issue in the Facebook Graph API.

3 Bug fixes

Facebook Graph API deprecated fields name, link, app_links and description have been removed from the default values of the facebook.page-fields configuration key.

3 Bug fixes

Fixes an XML formatting issue in Faceted Navigation click logs.

3 Bug fixes

Fixes a bug with merging under Push.

3 Bug fixes

Fixes a bug in which white space was not preserved in summaries from anchor text when the -map indexer option is enabled.

3 Bug fixes

The Push API client used in multi server push now has timeouts enabled allowing it to abandon problematic HTTP requests.

3 Bug fixes

Removes the screens for file-manager rule editing which could create security issues

3 Bug fixes

Fixes an issue where support packages could contain unintended files

3 Bug fixes

Fixes an issue where the running Funnelback jetty web server could retain permissions via supplemental groups after startup

3 Bug fixes

Limits an administration CGI script to redirect only within the Funnelback administration interface as intended

3 Bug fixes

Removes the unused administration debug.cgi script which reflected input parameters without proper escaping

3 Bug fixes

Fixes a bug where a horizontal display of columns in auto-completion dropdown doesn’t work.

3 Bug fixes

Fixes a bug where insecure operation on CSS files list was performed when CSS file was exposed via the same domain as auto-completion widget but different port.

3 Bug fixes

Fixes an issue where the push API failed to start up when using SAML authentication.

3 Bug fixes

Fixes an issue where Knowledge Graph groovy scripts are not executed when they are defined at the profile preview level.

3 Bug fixes

Fixes an issue where the Knowledge Graph class CsvImporterNeo4j does not create nodes inside Neo4J when executed externally.

3 Bug fixes

Fixes an issue where Knowledge Graph API does not work when a JDBC driver is specified for the session database.

3 Bug fixes

Fixes a bug introduced in the previous patch in which uploading configuration files in the administration dashboard stopped working.

3 Bug fixes

Prevents XSS vulnerabilities found in the classic administration dashboard.

3 Bug fixes

Move Funnelback service pid files to /var/run which is required by OS updates to systemd.

3 Bug fixes

Include some additional metadata in service template files.

3 Bug fixes

Relax permissions on creating a service. If user has access to create a profile (sec.profile.manage) they now have access to create a service. Previously they needed the more restrictive requirement of sec.administer.system.

3 Bug fixes

Fixed an issue where the crawler would follow <meta http-equiv="refresh"> redirects that appeared within html comments. Redirects inside comments are now ignored.

3 Bug fixes

Improves support for running faceted navigation on extra searches.

3 Bug fixes

Adds method 'getEffectiveExtraSearchName()' to the search transaction which gets the name of the extra search this search should be considered to be under. The result of this should be used when modifying a particular extra search. As Funnelback may create extra searches under an existing search, for example for faceted navigation, this could be used to work out if the search transaction should be modified.

3 Bug fixes

Fixes errors in the sorting of faceted navigation values, which could cause a HTTP 500 error code.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates escaped using output formats by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Empty XML elements mapped as the document URL are now ignored.

3 Bug fixes

Fixes a memory leak by disabling the conscrypt SSL provider.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Please note, this patch was retracted due to an incomplete solution causing template errors when used with certain Freemarker escaping modes. The 15.22.0.7 patch, which addresses this issue, should be used instead.

3 Bug fixes

Fixes a bug in which the last seen time of an Accessibility Auditor Acknowledgment would not be updated.

3 Bug fixes

Fixes a bug in which spaces would be removed from query biased summaries which came from 'cdata' sections of XML.

3 Bug fixes

Improves the task-picker such that it can load dependencies from custom 'jar' files located '$SEARCH_HOME/lib/java/task-picker/'.

3 Bug fixes

Improves query performance when lots of curator rules are defined for any profile under a collection.

3 Bug fixes

Improves 'build_autoc' performance for profiles reducing update times.

3 Bug fixes

Reduces the time taken by the update step ContentAuditorSummary.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Reduce the size of the redirector war file to reduce memory overhead and deploy time.

3 Bug fixes

Improve support for faceted navigation with queries that contain bigrams (such as CJKT characters).

3 Bug fixes

Fixes an issue where relationships labels in the knowledge graph widget have been created incorrectly.

3 Bug fixes

Fixes an issue where sorting of related entities has not been applied based on knowledge graph template configuration.

3 Bug fixes

Fixes an issue where a double request to search endpoint in the knowledge graph widget has been sent on pressing enter key when search input is focused.

3 Bug fixes

Fixes an issue where the saving of profile and server level configuration parameters have not been executed due to incorrect backup file creation.

3 Bug fixes

Improve the performance of the Accessibility Auditor interface by requesting less data.

3 Bug fixes

Fixes an issue where some of the text on the Accessibility Auditor dashboard was showing out of date information.

3 Bug fixes

Fixes an issue where the Accessibility Auditor dashboard would not generate the thumbnail screenshots for each domain.

3 Bug fixes

Tuning now uses the Perl defined in executables.cfg rather than the Perl defined on the path