Funnelback patch 16.2.0.17

Fixed the security vulnerabilities where jackson-databind might allow remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks.

Fixed the security vulnerabilities where com.google.oauth-client hasn’t implemented PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps.

lib/java/all/cortex-common.jar

lib/java/all/cortex-data-importer.jar

lib/java/all/funnelback-api-client-core.jar

lib/java/all/funnelback-common.jar

lib/java/all/funnelback-social-media.jar

lib/java/all/funnelback-springmvc-common.jar

lib/java/all/google-api-client-1.16.0-rc.jar: (replaced with empty jar file)

lib/java/all/google-api-client-1.34.0.jar

lib/java/all/google-api-services-plus-v1-rev86-1.16.0-rc.jar: (replaced with empty jar file)

lib/java/all/google-api-services-youtube-v3-rev120-1.19.0.jar: (replaced with empty jar file)

lib/java/all/google-api-services-youtube-v3-rev20220418-1.32.1.jar

lib/java/all/google-http-client-1.16.0-rc.jar: (replaced with empty jar file)

lib/java/all/google-http-client-1.41.8.jar

lib/java/all/google-http-client-apache-v2-1.41.7.jar

lib/java/all/google-http-client-gson-1.41.7.jar

lib/java/all/google-http-client-jackson-1.16.0-rc.jar: (replaced with empty jar file)

lib/java/all/google-http-client-jackson2-1.41.8.jar

lib/java/all/google-oauth-client-1.16.0-rc.jar: (replaced with empty jar file)

lib/java/all/google-oauth-client-1.33.2.jar

lib/java/all/grpc-context-1.27.2.jar

lib/java/all/j2objc-annotations-1.3.jar

lib/java/all/jackson-annotations-2.10.3.jar: (replaced with empty jar file)

lib/java/all/jackson-annotations-2.13.2.jar

lib/java/all/jackson-core-2.10.3.jar: (replaced with empty jar file)

lib/java/all/jackson-core-2.13.2.jar

lib/java/all/jackson-databind-2.10.3.jar: (replaced with empty jar file)

lib/java/all/jackson-databind-2.13.2.2.jar

lib/java/all/jackson-datatype-guava-2.10.3.jar: (replaced with empty jar file)

lib/java/all/jackson-datatype-guava-2.13.2.jar

lib/java/all/jackson-datatype-jdk8-2.10.3.jar: (replaced with empty jar file)

lib/java/all/jackson-datatype-jdk8-2.13.2.jar

lib/java/all/jackson-datatype-jsr310-2.10.3.jar: (replaced with empty jar file)

lib/java/all/jackson-datatype-jsr310-2.13.2.jar

lib/java/all/opencensus-api-0.31.0.jar

lib/java/all/opencensus-contrib-http-util-0.31.0.jar

lib/java/all/xpp3-1.1.4c.jar: (replaced with empty jar file)

share/funnelback-push-api-client-shaded.jar

web/webapps/cortex-rest-api.war

web/webapps/funnelback-admin-api.war

web/webapps/funnelback-classic-admin.war

web/webapps/funnelback-mediator-endpoint-http.war

web/webapps/funnelback-publicui.war

web/webapps/funnelback-push-api.war

Stop the Jetty web server.

Stop the Daemon service.

Deploy the provided files on top of an existing install, backing up all replaced files.

(16.2.0.1) It is recommended that the following (empty) file is deleted: lib/java/all/commons-codec-1.9.jar.

(16.2.0.2) Update the first line of the bin/reports-send-email.pl script to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in $SEARCH_HOME/conf/executables.cfg.

(16.2.0.9) Update the first line of the bin/create-collection.pl script to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in $SEARCH_HOME/conf/executables.cfg.

(16.2.0.14) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.13.3.jar, lib/java/all/log4j-api-2.13.3.jar, lib/java/all/log4j-core-2.13.3.jar, lib/java/all/log4j-iostreams-2.13.3.jar, lib/java/all/log4j-jcl-2.13.3.jar, lib/java/all/log4j-jul-2.13.3.jar, lib/java/all/log4j-slf4j-impl-2.13.3.jar, lib/java/all/log4j-web-2.13.3.jar.

(16.2.0.15) It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.15.0.jar, lib/java/all/log4j-api-2.15.0.jar, lib/java/all/log4j-core-2.15.0.jar, lib/java/all/log4j-iostreams-2.15.0.jar, lib/java/all/log4j-jcl-2.15.0.jar, lib/java/all/log4j-jul-2.15.0.jar, lib/java/all/log4j-slf4j-impl-2.15.0.jar, lib/java/all/log4j-web-2.15.0.jar.

(16.2.0.17) It is recommended that the following (empty) files are deleted: lib/java/all/google-api-client-1.16.0-rc.jar, lib/java/all/google-api-services-plus-v1-rev86-1.16.0-rc.jar, lib/java/all/google-api-services-youtube-v3-rev120-1.19.0.jar, lib/java/all/google-http-client-1.16.0-rc.jar, lib/java/all/google-http-client-jackson-1.16.0-rc.jar, lib/java/all/google-oauth-client-1.16.0-rc.jar, lib/java/all/jackson-core-2.10.3.jar, lib/java/all/jackson-databind-2.10.3.jar, lib/java/all/jackson-datatype-guava-2.10.3.jar, lib/java/all/jackson-datatype-jdk8-2.10.3.jar, lib/java/all/jackson-datatype-jsr310-2.10.3.jar, lib/java/all/xpp3-1.1.4c.jar.

Start the Jetty web server.

Start the Daemon service.