Funnelback patch 15.24.0.47
-
Released: 2022-04-08
-
Applies to: v15.24.0
-
Internal reference: RNDSUPPORT-3491
Description
-
Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965]
Affected files
-
lib/java/all/funnelback-springmvc-common.jar
-
web/webapps/cortex-rest-api.war
-
web/webapps/funnelback-admin-api.war
-
web/webapps/funnelback-classic-admin.war
-
web/webapps/funnelback-mediator-endpoint-http.war
-
web/webapps/funnelback-publicui.war
-
web/webapps/funnelback-push-api.war
-
web/webapps/funnelback-redirector.war
Deployment
-
Stop the Jetty web server.
-
Stop the Daemon service.
-
Deploy the provided files on top of an existing install, backing up all replaced files.
-
(15.24.0.29) It is recommended that the following (empty) files are deleted:
lib/java/all/apache-mime4j-core-0.8.2.jar
,lib/java/all/apache-mime4j-dom-0.8.2.jar
,lib/java/all/asm-6.2.jar
,lib/java/all/bcmail-jdk15on-1.60.jar
,lib/java/all/bcpkix-jdk15on-1.60.jar
,lib/java/all/bcprov-jdk15on-1.60.jar
,lib/java/all/c3p0-0.9.1.1.jar
,lib/java/all/commons-collections4-4.2.jar
,lib/java/all/commons-compress-1.18.jar
,lib/java/all/curvesapi-1.04.jar
,lib/java/all/cxf-core-3.2.6.jar
,lib/java/all/cxf-rt-frontend-jaxrs-3.2.6.jar
,lib/java/all/cxf-rt-rs-client-3.2.6.jar
,lib/java/all/cxf-rt-transports-http-3.2.6.jar
,lib/java/all/FastInfoset-1.2.13.jar
,lib/java/all/isoparser-1.1.22.jar
,lib/java/all/istack-commons-runtime-3.0.5.jar
,lib/java/all/jackcess-2.1.12.jar
,lib/java/all/jackcess-encrypt-2.1.4.jar
,lib/java/all/jackson-annotations-2.9.6.jar
,lib/java/all/java-libpst-0.8.1.jar
,lib/java/all/javax.ws.rs-api-2.1.jar
,lib/java/all/jaxb-api-2.3.0.jar
,lib/java/all/jaxb-core-2.3.0.1.jar
,lib/java/all/jaxb-runtime-2.3.0.1.jar
,lib/java/all/jbig2-imageio-3.0.2.jar
,lib/java/all/jul-to-slf4j-1.7.25.jar
,lib/java/all/metadata-extractor-2.11.0.jar
,lib/java/all/openjson-1.0.10.jar
,lib/java/all/parso-2.0.9.jar
,lib/java/all/pdfbox-tools-2.0.12.jar
,lib/java/all/poi-4.0.0.jar
,lib/java/all/poi-ooxml-4.0.0.jar
,lib/java/all/poi-ooxml-schemas-4.0.0.jar
,lib/java/all/poi-scratchpad-4.0.0.jar
,lib/java/all/protobuf-java-3.8.0.jar
,lib/java/all/quartz-2.2.0.jar
,lib/java/all/rome-1.5.1.jar
,lib/java/all/rome-utils-1.5.1.jar
,lib/java/all/sis-feature-0.8.jar
,lib/java/all/sis-metadata-0.8.jar
,lib/java/all/sis-netcdf-0.8.jar
,lib/java/all/sis-referencing-0.8.jar
,lib/java/all/sis-storage-0.8.jar
,lib/java/all/sis-utility-0.8.jar
,lib/java/all/stax2-api-4.1.jar
,lib/java/all/stax-ex-1.7.8.jar
,lib/java/all/tika-core-1.19.1.jar
,lib/java/all/tika-parsers-1.19.1.jar
,lib/java/all/txw2-2.3.0.1.jar
,lib/java/all/uimafit-core-2.2.0.jar
,lib/java/all/uimaj-core-2.9.0.jar
,lib/java/all/woodstox-core-5.1.0.jar
,lib/java/all/xmlbeans-3.0.1.jar
,lib/java/all/xmlschema-core-2.2.3.jar
,lib/java/all/xmpcore-5.1.3.jar
. -
(15.24.0.39) It is recommended that the following (empty) file is deleted:
lib/java/all/commons-codec-1.9.jar
. -
(15.24.0.45) It is recommended that the following (empty) files are deleted:
lib/java/all/log4j-1.2-api-2.6.2.jar
,lib/java/all/log4j-api-2.6.2.jar
,lib/java/all/log4j-core-2.6.2.jar
,lib/java/all/log4j-iostreams-2.6.2.jar
,lib/java/all/log4j-jcl-2.6.2.jar
,lib/java/all/log4j-jul-2.6.2.jar
,lib/java/all/log4j-slf4j-impl-2.6.2.jar
,lib/java/all/log4j-web-2.6.2.jar
. -
(15.24.0.46) It is recommended that the following (empty) files are deleted:
lib/java/all/log4j-1.2-api-2.15.0.jar
,lib/java/all/log4j-api-2.15.0.jar
,lib/java/all/log4j-core-2.15.0.jar
,lib/java/all/log4j-iostreams-2.15.0.jar
,lib/java/all/log4j-jcl-2.15.0.jar
,lib/java/all/log4j-jul-2.15.0.jar
,lib/java/all/log4j-slf4j-impl-2.15.0.jar
,lib/java/all/log4j-web-2.15.0.jar
. -
Start the Jetty web server.
-
Start the Daemon service.
-
(15.24.0.12, 15.24.0.13) Perform an update of knowledge graph on any applicable collections in order to apply patch changes.
-
(15.24.0.25) Update the first line of the bin/delete-collection.pl script to refer to the correct perl interpreter for your Funnelback installation.