Universal Controller 7.1.2.0 Release Notes
Release Notes
Universal Controller release 7.1.2.0 contains the following high-level features. For a complete list of all the included features and fixes, please refer to the Universal Controller 7.2.x Maintenance list.
Architecture
Backlog | Title | Description |
---|---|---|
B-15981 | Make the timeout for email notification output configurable. | New uc.properties configuration property to allow the subscription to task output retrieval from a notification email to be configured. uc.action.email_notification.attach_output.subscription.timeout_in_seconds. Default value is 180. |
B-15965 | SAP Task: Modify -event_select_state configuration option to use short form "N", "C", and "A". | A change in UA (Universal Agent) version 7.1 introduced more stringent syntax checks resulting in SAP Tasks failing with an error message indicating that the parameter value exceeds a size limit. |
B-14859 | Replace Log4j 1 library with Reload4j library | Replace Log4j 1 library with Reload4j library. |
Security
Backlog | Title | Description |
---|---|---|
B-15969 | Upgrade SmartGWT library dependencies (2022-06-16). | Information leakage vulnerability in SmartClient and SmartGWT server products with certain configurations. The vulnerability is present if you have the FileDownload servlet mapped in the web.xml file. We regard this vulnerability as potentially high severity because, although the exploit is non-obvious and requires knowledge of SmartClient/SmartGWT server internals, it gives read-only access to all files deployed as part of your web application. This vulnerability does not inherently allow an attacker to take over your SmartClient-based application, stop it from functioning, or give access to the server on which it is running. |
B-15792 | Update spring library dependencies. | To address CVE-2022-22965 and CVE-2022-22950, we have updated Universal Controller's Spring library dependencies to the following:
Universal Controller uses the Spring libraries for its SSO implementation. |
B-15783 | Remove the axis2-spring-1.7.4.jar dependency. | The jar file axis2-spring-1.7.4.jar is an Axis2 dependency that is not specifically used by UC. UC’s dependency on Axis2 relates to SOAP capabilities the Web Service Task. |
B-15641 | Remove the spring-webmvc dependency | This item addresses CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+. Universal Controller is not a "A Spring MVC or Spring WebFlux application"; however, a dependency to spring-webmvc-3.1.2.RELEASE.jar existed, because it came in with our dependency on Spring Security SAML. We have removed the dependency. |
D-10807 | Business Service Visibility Restricted property not honored by 'businessservice/list' Web Service. | |
D-10760 | Information leakage through the 'audit/list' Web Service. | |
D-10678 | User without appropriate role can read a group through Web Service. |