You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.




1. Enhancements

Enhancement Details
Security

Previously, to enable the secure session cookie flag, the environment variable BLUERIQ_SECURE_SESSION_COOKIE was used. From this version onwards, the secure session cookie flag is set using a property.
See Release 14.7 Upgrade Instructions on how to update the secure session cookie configuration. 

For more information visit Security: Blueriq session and cookie






On this page:

2. Log4shell

Several critical CVEs were reported on the log4j-core  library. Blueriq is not affected by these CVEs, see https://www.blueriq.com/en/insights/measures-concerning-log4shell for our statement.

We do use log4j dependencies (log4j-api and log4j-to-slf4j) that are not affected, but use the same versioning scheme as the affected log4j-core library. To avoid confusion, we upgraded these libraries to the latest version 2.17.0.

3. Changes Platform Support

Our Platform support is updated.

Changes are:

  • Dropped support for JBoss EAP 7.2
  • Added support for JBoss EAP 7.4

4. Upgrade Instructions

For upgrade instructions, see Release 14.7 Upgrade Instructions.

As a best practice

  • backup your repository
  • backup your database before running scripts
  • backup your spring.config.additional-location directory ([Blueriq installation directory]\Runtime)
  • backup any config files you have altered under [Blueriq installation directory]\Services

before you start the upgrade.

5. Artifacts

 The Blueriq artifacts are available under name: 14.7.0.4248

This release includes these versions of Blueriq components with a separate life cycle:

Component

Version

Customer Data Service 3.4.5
DCM Lists Service 1.4.4
Material Theme 1.0.40

6. Aquima Libraries

There are no specific Library updates for this release.

7. Libraries

In this release, the set of third party libraries that is used by Blueriq was updated. When your installation of Blueriq includes custom components (artifacts that do not ship with Blueriq, such as proprietary plugins), those components should be tested for compatibility with these changes.

ArtifactId

GroupId

License

14.6.1

14.7

netty-resolver-dns-classes-macos

io.netty

Apache License 2.0

(error)

4.1.72.Final

netty-tcnative-classes

io.netty

Apache License 2.0

(error)

2.0.46.Final

netty-transport-classes-epoll

io.netty

Apache License 2.0

(error)

4.1.72.Final

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.14.1

2.17.0

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.14.1

2.17.0

netty-buffer

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-codec

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-codec-dns

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-codec-http

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-codec-http2

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-codec-socks

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-common

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-handler

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-handler-proxy

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-resolver

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-resolver-dns

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-resolver-dns-native-macos

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-transport

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-transport-native-epoll

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

netty-transport-native-unix-common

io.netty

Apache License 2.0

4.1.69.Final

4.1.72.Final

ArtifactId

GroupId

License

3.4.1 (14.6.1)

3.4.5 (14.7)

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.14.1

2.17.0

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.14.1

2.17.0

ArtifactId

GroupId

License

1.4.1 (14.6.1)

1.4.4 (14.7)

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.14.1

2.17.0

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.14.1

2.17.0


8. Retirement announcement

We retired the BLUERIQ_SECURE_SESSION_COOKIE environment variable. See Deprecated features for details.

9. Bug fixes

Identifier

Component

Issue

Solution

BQ-14474


CVE-2021-43797 & CVE-2021-23463 are reported on the runtime

CVE-2021-43797 concerns a Netty library which was updated to the latest version in which the CVE is resolved. CVE-2021-23463 concerns H2, which we only ship with the development-tools component. This component is meant to be used for development and not for production. H2 can also be used as a database backend, but this is strongly discouraged in production environments. So we have not updated the H2 library as production is unaffected.

CSD-3970

JAVA Runtime

When importing a profile.xml using the XmlConverter an exception is thrown when loading an already existing singleton entity instance.

This was a regression which occurred after the resolution of CSD-3923. When importing a profile.xml into a prefilled profile the existing singletons will be used, otherwise the imported profile instance will be used.

CSD-3912


The inability to find a qualified name when importing a WSDL would omit the qualified name, making it hard to debug the issue.

The qualified name that could not be found is now included in the log.

CSD-3941

JAVA Runtime

Fields did not properly supported domains with invalid domain options

Corrected the code to handle invalid domain options in the correct way

CSD-3931


Importing a branch export from a Studio version older than R13 could fail if it contains external libraries that require a migration.

When an older branch export is imported into a newer Studio version, any external libraries are now correctly migrated as well.

CSD-3930


When an inline field is present on a page, the generation of a document using the document plugin would fail

Inline fields no longer cause the document generation plugin to fail

BQ-13951


When a timer or due date was set to reevaluate on domain change, and on reevaluation it would yield an unknown date, an exception was thrown and process evaluation halted.

When the timer or due date is evaluated to unknown on domain change, it is ignored. A warning is logged to alert that probably something is wrong in the domain model.

CSD-3869


Values in a MappedJustificationTree that were already visited during the traversal of the justificationTree were added as a duplicate entry in the MappedJustificationTree leading to unnecessary memory usage.

Visited nodes are now cached and reused if they are visited more than once.

BQ-13195


For BAA(R)S endpoints that have a shortcut, the test path would always be read from the HTTP request, even in production mode. Test Paths are a development only feature.
If test path properties were present for the shortcut of the BAA(R)S, an attacker could provide a X-Blueriq-TestPath header and a different branch than the intended branch would be used to execute the BAA(R)S service.

Test path properties will now be ignored when running Blueriq Runtime in Production Mode.

10. Known issues

For an overview of known issue please refer to: Known issues