Universal Controller 7.1.2.0 Release Notes

Release Notes

Universal Controller release 7.1.2.0 contains the following high-level features. For a complete list of all the included features and fixes, please refer to the Universal Controller 7.2.x Maintenance list.

Architecture

Backlog

Title

Description

B-15981

Make the timeout for email notification output configurable.

New uc.properties configuration property to allow the subscription to task output retrieval from a notification email to be configured.

uc.action.email_notification.attach_output.subscription.timeout_in_seconds.

Default value is 180.

B-15965

SAP Task: Modify -event_select_state configuration option to use short form "N", "C", and "A".

A change in UA (Universal Agent) version 7.1 introduced more stringent syntax checks resulting in SAP Tasks failing with an error message indicating that the parameter value exceeds a size limit.

B-14859

Replace Log4j 1 library with Reload4j library

Replace Log4j 1 library with Reload4j library.

Security

Backlog

Title

Description

B-15969

Upgrade SmartGWT library dependencies (2022-06-16).

Information leakage vulnerability in SmartClient and SmartGWT server products with certain configurations.  The vulnerability is present if you have the FileDownload servlet mapped in the web.xml file.  

We regard this vulnerability as potentially high severity because, although the exploit is non-obvious and requires knowledge of SmartClient/SmartGWT server internals, it gives read-only access to all files deployed as part of your web application.

This vulnerability does not inherently allow an attacker to take over your SmartClient-based application, stop it from functioning, or give access to the server on which it is running.

B-15792

Update spring library dependencies.

To address CVE-2022-22965 and CVE-2022-22950, we have updated Universal Controller's Spring library dependencies to the following:

  • Spring Framework 5.3.20
  • Spring Security 5.7.1
  • Spring Security SAML 1.0.10.RELEASE

Universal Controller uses the Spring libraries for its SSO implementation.

B-15783

Remove the axis2-spring-1.7.4.jar dependency.

The jar file axis2-spring-1.7.4.jar is an Axis2 dependency that is not specifically used by UC. UC’s dependency on Axis2 relates to SOAP capabilities the Web Service Task.

B-15641Remove the spring-webmvc dependency

This item addresses CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+.

Universal Controller is not a "A Spring MVC or Spring WebFlux application"; however, a dependency to spring-webmvc-3.1.2.RELEASE.jar existed, because it came in with our dependency on Spring Security SAML. We have removed the dependency.

D-10807Business Service Visibility Restricted property not honored by 'businessservice/list' Web Service.
D-10760Information leakage through the 'audit/list' Web Service.
D-10678User without appropriate role can read a group through Web Service.