Release Notes

Universal Controller release 7.1.2.0 contains the following high-level features. For a complete list of all the included features and fixes, please refer to the Universal Controller 7.2.x Maintenance list.

Architecture

Backlog

Title

Description

B-15981

Make the timeout for email notification output configurable.

New uc.properties configuration property to allow the subscription to task output retrieval from a notification email to be configured.

uc.action.email_notification.attach_output.subscription.timeout_in_seconds.

Default value is 180.

B-15965

SAP Task: Modify -event_select_state configuration option to use short form "N", "C", and "A".

A change in UA (Universal Agent) version 7.1 introduced more stringent syntax checks resulting in SAP Tasks failing with an error message indicating that the parameter value exceeds a size limit.

B-14859

Replace Log4j 1 library with Reload4j library

Replace Log4j 1 library with Reload4j library.

Security

Backlog	Title	Description
B-15969	Upgrade SmartGWT library dependencies (2022-06-16).	Information leakage vulnerability in SmartClient and SmartGWT server products with certain configurations. The vulnerability is present if you have the FileDownload servlet mapped in the web.xml file. We regard this vulnerability as potentially high severity because, although the exploit is non-obvious and requires knowledge of SmartClient/SmartGWT server internals, it gives read-only access to all files deployed as part of your web application. This vulnerability does not inherently allow an attacker to take over your SmartClient-based application, stop it from functioning, or give access to the server on which it is running.
B-15792	Update spring library dependencies.	To address CVE-2022-22965 and CVE-2022-22950, we have updated Universal Controller's Spring library dependencies to the following: Spring Framework 5.3.20 Spring Security 5.7.1 Spring Security SAML 1.0.10.RELEASE Universal Controller uses the Spring libraries for its SSO implementation.
B-15783	Remove the axis2-spring-1.7.4.jar dependency.	The jar file axis2-spring-1.7.4.jar is an Axis2 dependency that is not specifically used by UC. UC’s dependency on Axis2 relates to SOAP capabilities the Web Service Task.
B-15641	Remove the spring-webmvc dependency	This item addresses CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+. Universal Controller is not a "A Spring MVC or Spring WebFlux application"; however, a dependency to spring-webmvc-3.1.2.RELEASE.jar existed, because it came in with our dependency on Spring Security SAML. We have removed the dependency.
D-10807	Business Service Visibility Restricted property not honored by 'businessservice/list' Web Service.
D-10760	Information leakage through the 'audit/list' Web Service.
D-10678	User without appropriate role can read a group through Web Service.

Browser not supported