Funnelback patch 15.24.0.45

  • Released: 2021-12-15

  • Applies to: v15.24.0

  • Internal reference: RNDSUPPORT-3466

Description

  • Upgrades log4j2 to version 2.15 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

Affected files

  • lib/java/all/admin-api-client-swagger-generated.jar

  • lib/java/all/cortex-common.jar

  • lib/java/all/cortex-data-importer.jar

  • lib/java/all/cortex-funnelback-integration.jar

  • lib/java/all/funnelback-analytics.jar

  • lib/java/all/funnelback-api-client-core.jar

  • lib/java/all/funnelback-collection-update.jar

  • lib/java/all/funnelback-common.jar

  • lib/java/all/funnelback-crawler-http-client.jar

  • lib/java/all/funnelback-crawler.jar

  • lib/java/all/funnelback-daemon.jar

  • lib/java/all/funnelback-data-api-connector-padre.jar

  • lib/java/all/funnelback-data-api-connector-padre-query-parser.jar

  • lib/java/all/funnelback-dbgather.jar

  • lib/java/all/funnelback-directory-gather.jar

  • lib/java/all/funnelback-filecopier.jar

  • lib/java/all/funnelback-mediator-core.jar

  • lib/java/all/funnelback-mediator-endpoint-cli.jar

  • lib/java/all/funnelback-push-api-client.jar

  • lib/java/all/funnelback-push-core.jar

  • lib/java/all/funnelback-reporting-api-client.jar

  • lib/java/all/funnelback-reporting.jar

  • lib/java/all/funnelback-slack-datasource-export-processor.jar

  • lib/java/all/funnelback-social-media.jar

  • lib/java/all/funnelback-springmvc-common.jar

  • lib/java/all/funnelback-store.jar

  • lib/java/all/funnelback-warc-library.jar

  • lib/java/all/funnelback-wca-api-client.jar

  • lib/java/all/funnelback-wca-checker.jar

  • lib/java/all/log4j-1.2-api-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-1.2-api-2.15.0.jar

  • lib/java/all/log4j-api-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-api-2.15.0.jar

  • lib/java/all/log4j-core-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-core-2.15.0.jar

  • lib/java/all/log4j-iostreams-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-iostreams-2.15.0.jar

  • lib/java/all/log4j-jcl-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-jcl-2.15.0.jar

  • lib/java/all/log4j-jul-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-jul-2.15.0.jar

  • lib/java/all/log4j-slf4j-impl-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-slf4j-impl-2.15.0.jar

  • lib/java/all/log4j-web-2.6.2.jar: This is now a empty jar for easy patch application.

  • lib/java/all/log4j-web-2.15.0.jar

  • lib/java/all/publicui-core.jar

  • lib/java/all/publicui-form-converter.jar

  • share/funnelback-push-api-client-shaded.jar

  • tools/manifoldcf-funnelback-connector.zip

  • web/server/funnelback-jetty-launcher.jar

  • web/webapps/cortex-rest-api.war

  • web/webapps/funnelback-admin-api.war

  • web/webapps/funnelback-classic-admin.war

  • web/webapps/funnelback-mediator-endpoint-http.war

  • web/webapps/funnelback-publicui.war

  • web/webapps/funnelback-push-api.war

  • web/webapps/funnelback-redirector.war

Deployment

  • Stop the Jetty web server.

  • Stop the Daemon service.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • (15.24.0.29) It is recommended that the following (empty) files are deleted: lib/java/all/apache-mime4j-core-0.8.2.jar, lib/java/all/apache-mime4j-dom-0.8.2.jar, lib/java/all/asm-6.2.jar, lib/java/all/bcmail-jdk15on-1.60.jar, lib/java/all/bcpkix-jdk15on-1.60.jar, lib/java/all/bcprov-jdk15on-1.60.jar, lib/java/all/c3p0-0.9.1.1.jar, lib/java/all/commons-collections4-4.2.jar, lib/java/all/commons-compress-1.18.jar, lib/java/all/curvesapi-1.04.jar, lib/java/all/cxf-core-3.2.6.jar, lib/java/all/cxf-rt-frontend-jaxrs-3.2.6.jar, lib/java/all/cxf-rt-rs-client-3.2.6.jar, lib/java/all/cxf-rt-transports-http-3.2.6.jar, lib/java/all/FastInfoset-1.2.13.jar, lib/java/all/isoparser-1.1.22.jar, lib/java/all/istack-commons-runtime-3.0.5.jar, lib/java/all/jackcess-2.1.12.jar, lib/java/all/jackcess-encrypt-2.1.4.jar, lib/java/all/jackson-annotations-2.9.6.jar, lib/java/all/java-libpst-0.8.1.jar, lib/java/all/javax.ws.rs-api-2.1.jar, lib/java/all/jaxb-api-2.3.0.jar, lib/java/all/jaxb-core-2.3.0.1.jar, lib/java/all/jaxb-runtime-2.3.0.1.jar, lib/java/all/jbig2-imageio-3.0.2.jar, lib/java/all/jul-to-slf4j-1.7.25.jar, lib/java/all/metadata-extractor-2.11.0.jar, lib/java/all/openjson-1.0.10.jar, lib/java/all/parso-2.0.9.jar, lib/java/all/pdfbox-tools-2.0.12.jar, lib/java/all/poi-4.0.0.jar, lib/java/all/poi-ooxml-4.0.0.jar, lib/java/all/poi-ooxml-schemas-4.0.0.jar, lib/java/all/poi-scratchpad-4.0.0.jar, lib/java/all/protobuf-java-3.8.0.jar, lib/java/all/quartz-2.2.0.jar, lib/java/all/rome-1.5.1.jar, lib/java/all/rome-utils-1.5.1.jar, lib/java/all/sis-feature-0.8.jar, lib/java/all/sis-metadata-0.8.jar, lib/java/all/sis-netcdf-0.8.jar, lib/java/all/sis-referencing-0.8.jar, lib/java/all/sis-storage-0.8.jar, lib/java/all/sis-utility-0.8.jar, lib/java/all/stax2-api-4.1.jar, lib/java/all/stax-ex-1.7.8.jar, lib/java/all/tika-core-1.19.1.jar, lib/java/all/tika-parsers-1.19.1.jar, lib/java/all/txw2-2.3.0.1.jar, lib/java/all/uimafit-core-2.2.0.jar, lib/java/all/uimaj-core-2.9.0.jar, lib/java/all/woodstox-core-5.1.0.jar, lib/java/all/xmlbeans-3.0.1.jar, lib/java/all/xmlschema-core-2.2.3.jar, lib/java/all/xmpcore-5.1.3.jar.

  • (15.24.0.39) It is recommended that the following (empty) file is deleted: lib/java/all/commons-codec-1.9.jar.

  • (15.24.0.45) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.6.2.jar, lib/java/all/log4j-api-2.6.2.jar, lib/java/all/log4j-core-2.6.2.jar, lib/java/all/log4j-iostreams-2.6.2.jar, lib/java/all/log4j-jcl-2.6.2.jar, lib/java/all/log4j-jul-2.6.2.jar, lib/java/all/log4j-slf4j-impl-2.6.2.jar, lib/java/all/log4j-web-2.6.2.jar.

  • Start the Jetty web server.

  • Start the Daemon service.

  • (15.24.0.12, 15.24.0.13) Perform an update of knowledge graph on any applicable collections in order to apply patch changes.

  • (15.24.0.25) Update the first line of the bin/delete-collection.pl script to refer to the correct perl interpreter for your Funnelback installation.