Funnelback patch

  • Released: 2022-04-08

  • Applies to: v16.4.0

  • Internal reference: RNDSUPPORT-3491


  • Fixed a security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965]

Affected files

  • lib/java/all/funnelback-springmvc-common.jar

  • web/webapps/cortex-rest-api.war

  • web/webapps/funnelback-admin-api.war

  • web/webapps/funnelback-classic-admin.war

  • web/webapps/funnelback-mediator-endpoint-http.war

  • web/webapps/funnelback-publicui.war

  • web/webapps/funnelback-push-api.war

  • web/webapps/funnelback-redirector.war


  • Stop the Jetty web server.

  • Stop the Daemon service.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • ( Update the first line of the bin/ script to refer to the correct perl interpreter for your Funnelback installation. The perl interpreter can be found in $SEARCH_HOME/conf/executables.cfg.

  • ( It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.13.3.jar, lib/java/all/log4j-api-2.13.3.jar, lib/java/all/log4j-core-2.13.3.jar, lib/java/all/log4j-iostreams-2.13.3.jar, lib/java/all/log4j-jcl-2.13.3.jar, lib/java/all/log4j-jul-2.13.3.jar, lib/java/all/log4j-slf4j-impl-2.13.3.jar, lib/java/all/log4j-web-2.13.3.jar.

  • ( It is recommended that the following (empty) files are deleted: lib/java/all/log4j-1.2-api-2.15.0.jar, lib/java/all/log4j-api-2.15.0.jar, lib/java/all/log4j-core-2.15.0.jar, lib/java/all/log4j-iostreams-2.15.0.jar, lib/java/all/log4j-jcl-2.15.0.jar, lib/java/all/log4j-jul-2.15.0.jar, lib/java/all/log4j-slf4j-impl-2.15.0.jar, lib/java/all/log4j-web-2.15.0.jar.

  • Start the Jetty web server.

  • Start the Daemon service.