You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Release Date

 

ContentRelease 13.13.18
Download

Download Blueriq

On this page:

1. Upgrade Instructions

There are no specific upgrade instructions for this release.

As a best practice

  • backup your repository
  • backup your database before running scripts
  • backup your spring.config.additional-location directory ([Blueriq installation directory]\Runtime)
  • backup any config files you have altered under [Blueriq installation directory]\Services

before you start the upgrade.

2. Artifacts

The Blueriq artifacts are available under name: 13.13.18.xxxx

This release includes these versions of Blueriq components with a separate life cycle:

Component

Version

Customer Data Service3.4.9
DCM Lists Service1.4.7
Material Theme1.0.42
Development tools frontend1.1.1

3. Aquima Libraries

There are no specific Library updates for this release.

4. Libraries

No libraries have been updated between version 13.13.17 and version 13.13.18

5. Retirement announcement

There are no specific retirement announcements.

For a full list of deprecated features, go to Deprecated features.

6. Bug fixes

Identifier

Component

Issue

Solution

BQ-15678

Customer Data Service, DCM Lists Service, JAVA Runtime

With this issue it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
In Blueriq, user input is sanitized and such input is never used by the out-of-the-box functionality to create SpEL expressions. Meaning Blueriq is not affected by this CVE.

The fix provided in the Spring Framework is applied to Blueriq 14 and 13 by upgrading Spring Framework to a newer patch version. For other Blueriq versions no patch is provided by the Spring Framework.

BQ-15579

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2022-22965 was found. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

Fixed by upgrading spring framework to newer patch versions

BQ-15505

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2020-36518 was detected on jackson-databind before 2.13.2

Fixed by upgrading to the latest version of jackson-databind which does not contain the vulnerability.

CSD-3889

JAVA Runtime

Blueriq didn't offer a security property to enable session fixation protection

Blueriq now offers a property to enable session fixation protection: blueriq.security.session-fixation-protection.enabled = true

7. Known issues

For an overview of known issue please refer to: Known issues

  • No labels

Didn't find the answer you were looking for? Try the advanced search