Funnelback patch 16.2.0.16

Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding.

lib/java/all/funnelback-springmvc-common.jar

web/webapps/cortex-rest-api.war

web/webapps/funnelback-admin-api.war

web/webapps/funnelback-classic-admin.war

web/webapps/funnelback-mediator-endpoint-http.war

web/webapps/funnelback-publicui.war

web/webapps/funnelback-push-api.war

web/webapps/funnelback-redirector.war

Stop the Jetty web server.

Stop the Daemon service.

Deploy the provided files on top of an existing install, backing up all replaced files.

(16.2.0.1) It is recommended that the following (empty) file is deleted: lib/java/all/commons-codec-1.9.jar.

(16.2.0.2) Update the first line of the bin/reports-send-email.pl script to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in $SEARCH_HOME/conf/executables.cfg.

(16.2.0.9) Update the first line of the bin/create-collection.pl script to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in $SEARCH_HOME/conf/executables.cfg.

(16.2.0.14) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.13.3.jar, lib/java/all/log4j-api-2.13.3.jar, lib/java/all/log4j-core-2.13.3.jar, lib/java/all/log4j-iostreams-2.13.3.jar, lib/java/all/log4j-jcl-2.13.3.jar, lib/java/all/log4j-jul-2.13.3.jar, lib/java/all/log4j-slf4j-impl-2.13.3.jar, lib/java/all/log4j-web-2.13.3.jar.

(16.2.0.15) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.15.0.jar, lib/java/all/log4j-api-2.15.0.jar, lib/java/all/log4j-core-2.15.0.jar, lib/java/all/log4j-iostreams-2.15.0.jar, lib/java/all/log4j-jcl-2.15.0.jar, lib/java/all/log4j-jul-2.15.0.jar, lib/java/all/log4j-slf4j-impl-2.15.0.jar, lib/java/all/log4j-web-2.15.0.jar.

Start the Jetty web server.

Start the Daemon service.