You are viewing the documentation for Blueriq 13. Documentation for other versions is available in our documentation directory.

1. Upgrade Instructions

There are no specific upgrade instructions for this release.

As a best practice

  • backup your repository
  • backup your database before running scripts
  • backup your spring.config.additional-location directory ([Blueriq installation directory]\Runtime)
  • backup any config files you have altered under [Blueriq installation directory]\Services

before you start the upgrade.

2. Artifacts

The Blueriq artifacts are available under name: 13.13.18.4826

This release includes these versions of Blueriq components with a separate life cycle:

Component

Version

Customer Data Service 3.4.11
DCM Lists Service 1.4.10
Material Theme 1.0.42
Development tools frontend 1.1.2

3. Aquima Libraries

There are no specific Library updates for this release.

4. Libraries

In this release, the set of third party libraries that is used by Blueriq was updated. When your installation of Blueriq includes custom components (artifacts that do not ship with Blueriq, such as proprietary plugins), those components should be tested for compatibility with these changes.


ArtifactId

GroupId

License

Version in 13.13.17

Version in 13.13.18

jackson-annotations

com.fasterxml.jackson.core

Apache License 2.0

2.13.1

2.13.2

jackson-core

com.fasterxml.jackson.core

Apache License 2.0

2.13.1

2.13.2

jackson-databind

com.fasterxml.jackson.core

Apache License 2.0

2.13.1

2.13.2.1

jackson-dataformat-xml

com.fasterxml.jackson.dataformat

Apache License 2.0

2.13.1

2.13.2

jackson-dataformat-yaml

com.fasterxml.jackson.dataformat

Apache License 2.0

2.13.1

2.13.2

jackson-datatype-jsr310

com.fasterxml.jackson.datatype

Apache License 2.0

2.13.1

2.13.2

snakeyaml

org.yaml

Apache License 2.0

1.28

1.30

spring-aop

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-beans

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-context

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-context-support

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-core

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-expression

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-jcl

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-jdbc

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-messaging

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-orm

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-oxm

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-tx

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-web

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-webflux

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

spring-webmvc

org.springframework

Apache License 2.0

5.2.19.RELEASE

5.2.20.RELEASE

ArtifactId

GroupId

License

Version in 3.4.10

Version in 3.4.11

javax.annotation-api

javax.annotation

CDDL/GPLv2+CE

1.3.2

(error)

jackson-databind

com.fasterxml.jackson.core

Apache License 2.0

2.13.2

2.13.2.1

jaxb-runtime

org.glassfish.jaxb

Eclipse Public License - v 1.0

2.3.5

2.3.6

jboss-logging

org.jboss.logging

Apache License 2.0

3.4.2.Final

3.4.3.Final

jul-to-slf4j

org.slf4j

MIT License

1.7.32

1.7.36

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

logback-classic

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

logback-core

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

slf4j-api

org.slf4j

MIT License

1.7.32

1.7.36

spring-amqp

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-aop

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-beans

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-boot

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-autoconfigure

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-aop

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-json

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-logging

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-security

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-web

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-context

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-core

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-data-commons

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-expression

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jcl

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jdbc

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-messaging

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-orm

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-rabbit

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-retry

org.springframework.retry

Apache License 2.0

1.3.1

1.3.2

spring-security-config

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-core

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-crypto

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-web

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-tx

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-web

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-webmvc

org.springframework

Apache License 2.0

5.3.14

5.3.18

txw2

org.glassfish.jaxb

Eclipse Public License - v 1.0

2.3.5

2.3.6

ArtifactId

GroupId

License

Version in 1.4.9

Version in 1.4.10

javax.annotation-api

javax.annotation

CDDL/GPLv2+CE

1.3.2

(error)

jackson-databind

com.fasterxml.jackson.core

Apache License 2.0

2.13.2

2.13.2.1

jul-to-slf4j

org.slf4j

MIT License

1.7.32

1.7.36

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

logback-classic

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

logback-core

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

slf4j-api

org.slf4j

MIT License

1.7.32

1.7.36

spring-amqp

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-aop

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-beans

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-boot

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-autoconfigure

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-aop

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-logging

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-security

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-context

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-core

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-data-commons

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-data-mongodb

org.springframework.data

Apache License 2.0

3.2.7

3.2.10

spring-expression

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jcl

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-messaging

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-rabbit

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-retry

org.springframework.retry

Apache License 2.0

1.3.1

1.3.2

spring-security-config

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-core

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-crypto

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-web

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-tx

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-web

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-webmvc

org.springframework

Apache License 2.0

5.3.14

5.3.18


5. Retirement announcement

There are no specific retirement announcements.

For a full list of deprecated features, go to Deprecated features.

6. Bug fixes

Identifier

Component

Issue

Solution

BQ-15678

Customer Data Service, DCM Lists Service, JAVA Runtime

With this issue it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
In Blueriq, user input is sanitized and such input is never used by the out-of-the-box functionality to create SpEL expressions. Meaning Blueriq is not affected by this CVE.

The fix provided in the Spring Framework is applied to Blueriq 14 and 13 by upgrading Spring Framework to a newer patch version. For other Blueriq versions no patch is provided by the Spring Framework.

BQ-15579

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2022-22965 was found. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

Fixed by upgrading spring framework to newer patch versions

BQ-15505

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2020-36518 was detected on jackson-databind before 2.13.2

Fixed by upgrading to the latest version of jackson-databind which does not contain the vulnerability.

CSD-3889

JAVA Runtime

Blueriq didn't offer a security property to enable session fixation protection

Blueriq now offers a property to enable session fixation protection: blueriq.security.session-fixation-protection.enabled = true

7. Known issues

For an overview of known issue please refer to: Known issues

  • No labels