Funnelback patch 16.2.0.15
-
Released: 2021-12-22
-
Applies to: v16.2.0
-
Internal reference: RNDSUPPORT-3466
Description
-
Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
Affected files
-
lib/java/all/admin-api-client-swagger-generated.jar -
lib/java/all/cortex-common.jar -
lib/java/all/cortex-data-importer.jar -
lib/java/all/cortex-funnelback-integration.jar -
lib/java/all/funnelback-admin-api-client.jar -
lib/java/all/funnelback-admin-helpers.jar -
lib/java/all/funnelback-analytics.jar -
lib/java/all/funnelback-api-client-core.jar -
lib/java/all/funnelback-collection-update.jar -
lib/java/all/funnelback-common.jar -
lib/java/all/funnelback-crawler-http-client.jar -
lib/java/all/funnelback-crawler.jar -
lib/java/all/funnelback-daemon.jar -
lib/java/all/funnelback-data-api-connector-padre.jar -
lib/java/all/funnelback-data-api-connector-padre-query-parser.jar -
lib/java/all/funnelback-dbgather.jar -
lib/java/all/funnelback-directory-gather.jar -
lib/java/all/funnelback-filecopier.jar -
lib/java/all/funnelback-local-directory-synchronizer.jar -
lib/java/all/funnelback-mediator-core.jar -
lib/java/all/funnelback-mediator-endpoint-cli.jar -
lib/java/all/funnelback-push-api-client.jar -
lib/java/all/funnelback-push-core.jar -
lib/java/all/funnelback-reporting-api-client.jar -
lib/java/all/funnelback-reporting.jar -
lib/java/all/funnelback-shared.jar -
lib/java/all/funnelback-shared-test.jar -
lib/java/all/funnelback-slack-datasource-export-processor.jar -
lib/java/all/funnelback-social-media.jar -
lib/java/all/funnelback-springmvc-common.jar -
lib/java/all/funnelback-store.jar -
lib/java/all/funnelback-upgrade-super-util.jar -
lib/java/all/funnelback-warc-library.jar -
lib/java/all/funnelback-wca-api-client.jar -
lib/java/all/funnelback-wca-checker.jar -
lib/java/all/log4j-1.2-api-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-1.2-api-2.17.0.jar -
lib/java/all/log4j-api-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-api-2.17.0.jar -
lib/java/all/log4j-core-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-core-2.17.0.jar -
lib/java/all/log4j-iostreams-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-iostreams-2.17.0.jar -
lib/java/all/log4j-jcl-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-jcl-2.17.0.jar -
lib/java/all/log4j-jul-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-jul-2.17.0.jar -
lib/java/all/log4j-slf4j-impl-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-slf4j-impl-2.17.0.jar -
lib/java/all/log4j-web-2.15.0.jar: This is now a empty jar for easy patch application. -
lib/java/all/log4j-web-2.17.0.jar -
lib/java/all/publicui-core.jar -
share/funnelback-push-api-client-shaded.jar -
tools/manifoldcf-funnelback-connector.zip -
web/server/funnelback-jetty-launcher.jar -
web/webapps/cortex-rest-api.war -
web/webapps/funnelback-admin-api.war -
web/webapps/funnelback-classic-admin.war -
web/webapps/funnelback-mediator-endpoint-http.war -
web/webapps/funnelback-publicui.war -
web/webapps/funnelback-push-api.war -
web/webapps/funnelback-redirector.war
Deployment
-
Stop the Jetty web server.
-
Stop the Daemon service.
-
Deploy the provided files on top of an existing install, backing up all replaced files.
-
(16.2.0.1) It is recommended that the following (empty) file is deleted:
lib/java/all/commons-codec-1.9.jar. -
(16.2.0.2) Update the first line of the
bin/reports-send-email.plscript to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in$SEARCH_HOME/conf/executables.cfg. -
(16.2.0.9) Update the first line of the
bin/create-collection.plscript to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in$SEARCH_HOME/conf/executables.cfg. -
(16.2.0.14) It is recommended that the following (empty) files are deleted:
lib/java/all/log4j-1.2-api-2.13.3.jar,lib/java/all/log4j-api-2.13.3.jar,lib/java/all/log4j-core-2.13.3.jar,lib/java/all/log4j-iostreams-2.13.3.jar,lib/java/all/log4j-jcl-2.13.3.jar,lib/java/all/log4j-jul-2.13.3.jar,lib/java/all/log4j-slf4j-impl-2.13.3.jar,lib/java/all/log4j-web-2.13.3.jar. -
(16.2.0.15) It is recommended that the following (empty) files are deleted:
lib/java/all/log4j-1.2-api-2.15.0.jar,lib/java/all/log4j-api-2.15.0.jar,lib/java/all/log4j-core-2.15.0.jar,lib/java/all/log4j-iostreams-2.15.0.jar,lib/java/all/log4j-jcl-2.15.0.jar,lib/java/all/log4j-jul-2.15.0.jar,lib/java/all/log4j-slf4j-impl-2.15.0.jar,lib/java/all/log4j-web-2.15.0.jar. -
Start the Jetty web server.
-
Start the Daemon service.