Blueriq 15.1 Bug Fixes

BQ-16097

Runtime

CVE-2022-22976 and CVE-2022-2298 have been detected on the Runtime. While we don't use RegexRequestMatcher, we are not vulnerable to CVE-2022-22978. We are however vulnerable to CVE-2022-22976 but only if BCrypt password encryption is used with 31 rounds.

We've updated the Spring libraries for Blueriq version 15, 14 and 13. If your project uses BCrypt encryption with 31 rounds (blueriq.security.bcrypt-strength) please follow the instructions on this page. We have also removed the option to use 31 rounds to mitigate the CVE for Blueriq version 12.

BQ-16096

Runtime

CVE-2022-22970 and CVE-2022-22971 have been detected on the Runtime. While we don't use STOMP over Web Socket, we are not vulnerable to CVE-2022-22971. We are however vulnerable to CVE-2022-22970 due to the usage of MultipartFile in the file upload component endpoint.

We have updated the spring-boot version to 2.6.8 (spring-framework 5.3.20) for version 15 and 14. For version 13 we have updated the spring-framework version to 5.2.22.

BQ-16092

Runtime

CVE-2022-24823 was reported for netty-transport-http.

Netty has been upgraded to version 4.1.77.Final, which doesn't have the vulnerability.

CSD-4123

Runtime

Function calls from a flow would not preserve the test path.
Function calls via Rest would not take test paths into account at all.

The test path is preserved in function calls from a flow.
You can now specify test paths in function shortcuts and the function call via Rest will take the specified test path to select the project version.

BQ-15966

Studio

The Keycloak account console could fail to initialize

The Keycloak configuration has been adjusted to resolve the failure.

CSD-3947

Runtime

A test path passed to an external flow would not be propagated to services that would be called before the first page in a flow.

This has been fixed.

CSD-4101

Runtime

In a BAAS, the test path would not be stored to propagate it to other services.

This has been fixed.