Universal Controller 7.1.2.0 Release Notes
- Jeremey Laprise
Analytics
Release Notes
Universal Controller release 7.1.2.0 contains the following high-level features. For a complete list of all the included features and fixes, please refer to the Universal Controller 7.2.x Maintenance list.
Architecture
Backlog | Title | Description |
|---|---|---|
B-15981 | Make the timeout for email notification output configurable. | New uc.properties configuration property to allow the subscription to task output retrieval from a notification email to be configured. uc.action.email_notification.attach_output.subscription.timeout_in_seconds. Default value is 180. |
B-15965 | SAP Task: Modify -event_select_state configuration option to use short form "N", "C", and "A". | A change in UA (Universal Agent) version 7.1 introduced more stringent syntax checks resulting in SAP Tasks failing with an error message indicating that the parameter value exceeds a size limit. |
B-14859 | Replace Log4j 1 library with Reload4j library | Replace Log4j 1 library with Reload4j library. |
Security
Backlog | Title | Description |
|---|---|---|
B-15969 | Upgrade SmartGWT library dependencies (2022-06-16). | Information leakage vulnerability in SmartClient and SmartGWT server products with certain configurations.Ā The vulnerability is present if you have the FileDownload servlet mapped in the web.xml file. Ā We regard this vulnerability as potentially high severity because, although the exploit is non-obvious and requires knowledge of SmartClient/SmartGWT server internals, it gives read-only access to all files deployed as part of your web application. This vulnerability does not inherently allow an attacker to take over your SmartClient-based application, stop it from functioning, or give access to the server on which it is running. |
B-15792 | Update spring library dependencies. | To address CVE-2022-22965 and CVE-2022-22950, we have updated Universal Controller's Spring library dependencies to the following:
Universal Controller uses the Spring libraries for its SSO implementation. |
B-15783 | Remove the axis2-spring-1.7.4.jar dependency. | The jar fileĀ axis2-spring-1.7.4.jarĀ is an Axis2 dependency that is not specifically used by UC. UCās dependency on Axis2 relates to SOAP capabilities the Web Service Task. |
| B-15641 | Remove the spring-webmvc dependency | This item addressesĀ CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+. Universal Controller is not a "A Spring MVC or Spring WebFlux application"; however, a dependency to spring-webmvc-3.1.2.RELEASE.jar existed, because it came in with our dependency on Spring Security SAML. We have removed the dependency. |
| D-10807 | Business Service Visibility Restricted property not honored by 'businessservice/list' Web Service. | |
| D-10760 | Information leakage through the 'audit/list' Web Service. | |
| D-10678 | User without appropriate role can read a group through Web Service. |