You are viewing the documentation for Blueriq 14. Documentation for other versions is available in our documentation directory.

1. Upgrade Instructions

There are no specific upgrade instructions for this release.

As a best practice

  • backup your repository
  • backup your database before running scripts
  • backup your spring.config.additional-location directory ([Blueriq installation directory]\Runtime)
  • backup any config files you have altered under [Blueriq installation directory]\Services

before you start the upgrade.

2. Artifacts

 The Blueriq artifacts are available under name: 14.10.2.4828

This release includes these versions of Blueriq components with a separate life cycle:

Component

Version

Customer Data Service 3.4.11
DCM Lists Service 1.4.10
Material Theme 1.0.42

3. Aquima Libraries

There are no specific Library updates for this release.

4. Libraries

In this release, the set of third party libraries that is used by Blueriq was updated. When your installation of Blueriq includes custom components (artifacts that do not ship with Blueriq, such as proprietary plugins), those components should be tested for compatibility with these changes.

ArtifactId

GroupId

License

Version in 14.10.1

Version in 14.10.2

jackson-module-jaxb-annotations

com.fasterxml.jackson.module

Apache License 2.0

2.12.6

(error)

netty-tcnative-classes

io.netty

Apache License 2.0

2.0.46.Final

(error)

accessors-smart

net.minidev

Apache License 2.0

2.4.7

2.4.8

groovy

org.codehaus.groovy

Apache License 2.0

3.0.9

3.0.10

hibernate-validator

org.hibernate.validator

Apache License 2.0

6.2.0.Final

6.2.3.Final

jackson-annotations

com.fasterxml.jackson.core

Apache License 2.0

2.12.6

2.13.2

jackson-core

com.fasterxml.jackson.core

Apache License 2.0

2.12.6

2.13.2

jackson-databind

com.fasterxml.jackson.core

Apache License 2.0

2.12.6

2.13.2.1

jackson-dataformat-xml

com.fasterxml.jackson.dataformat

Apache License 2.0

2.12.6

2.13.2

jackson-dataformat-yaml

com.fasterxml.jackson.dataformat

Apache License 2.0

2.12.6

2.13.2

jackson-datatype-jsr310

com.fasterxml.jackson.datatype

Apache License 2.0

2.12.6

2.13.2

jaxb-runtime

org.glassfish.jaxb

Eclipse Public License - v 1.0

2.3.5

2.3.6

jboss-logging

org.jboss.logging

Apache License 2.0

3.4.2.Final

3.4.3.Final

json-smart

net.minidev

Apache License 2.0

2.4.7

2.4.8

jul-to-slf4j

org.slf4j

MIT License

1.7.32

1.7.36

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

logback-classic

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

logback-core

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

metrics-core

io.dropwizard.metrics

Apache License 2.0

4.1.29

4.1.31

micrometer-core

io.micrometer

Apache License 2.0

1.7.7

1.7.10

netty-buffer

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-codec

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-codec-dns

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-codec-http

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-codec-http2

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-codec-socks

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-common

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-handler

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-handler-proxy

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-incubator-codec-classes-quic

io.netty.incubator

Apache License 2.0

0.0.24.Final

0.0.26.Final

netty-incubator-codec-native-quic

io.netty.incubator

Apache License 2.0

0.0.24.Final

0.0.26.Final

netty-resolver

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-resolver-dns

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-resolver-dns-classes-macos

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-resolver-dns-native-macos

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-transport

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-transport-classes-epoll

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-transport-native-epoll

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

netty-transport-native-unix-common

io.netty

Apache License 2.0

4.1.72.Final

4.1.75.Final

reactor-core

io.projectreactor

Apache License 2.0

3.4.13

3.4.16

reactor-netty

io.projectreactor.netty

Apache License 2.0

1.0.14

1.0.17

reactor-netty-core

io.projectreactor.netty

Apache License 2.0

1.0.14

1.0.17

reactor-netty-http

io.projectreactor.netty

Apache License 2.0

1.0.14

1.0.17

reactor-netty-http-brave

io.projectreactor.netty

Apache License 2.0

1.0.14

1.0.17

reactor-netty-incubator-quic

io.projectreactor.netty.incubator

Apache License 2.0

0.0.3

0.0.6

slf4j-api

org.slf4j

MIT License

1.7.32

1.7.36

snakeyaml

org.yaml

Apache License 2.0

1.28

1.30

spring-amqp

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-aop

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-beans

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-boot

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-actuator

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-actuator-autoconfigure

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-autoconfigure

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-configuration-processor

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-aop

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-data-mongodb

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-logging

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-validation

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-cloud-commons

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-config-client

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.6

spring-cloud-config-server

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.6

spring-cloud-context

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-sleuth-api

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-sleuth-autoconfigure

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-sleuth-brave

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-sleuth-instrumentation

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-starter

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-starter-bootstrap

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-cloud-starter-config

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.6

spring-cloud-starter-sleuth

org.springframework.cloud

Apache License 2.0

3.0.4

3.0.5

spring-context

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-context-support

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-core

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-data-commons

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-data-keyvalue

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-data-mongodb

org.springframework.data

Apache License 2.0

3.2.7

3.2.10

spring-data-redis

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-expression

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-hateoas

org.springframework.hateoas

Apache License 2.0

1.3.6

1.3.7

spring-jcl

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jdbc

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-ldap-core

org.springframework.ldap

Apache License 2.0

2.3.5.RELEASE

2.3.6.RELEASE

spring-messaging

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-orm

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-oxm

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-rabbit

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-retry

org.springframework.retry

Apache License 2.0

1.3.1

1.3.2

spring-security-config

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-core

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-crypto

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-ldap

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-oauth2-client

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-oauth2-core

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-web

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-session-core

org.springframework.session

Apache License 2.0

2.5.4

2.5.5

spring-session-data-redis

org.springframework.session

Apache License 2.0

2.5.4

2.5.5

spring-tx

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-web

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-webflux

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-webmvc

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-ws-core

org.springframework.ws

Apache License 2.0

3.1.2

3.1.3

spring-ws-security

org.springframework.ws

Apache License 2.0

3.1.2

3.1.3

spring-xml

org.springframework.ws

Apache License 2.0

3.1.2

3.1.3

txw2

org.glassfish.jaxb

Eclipse Public License - v 1.0

2.3.5

2.3.6

woodstox-core

com.fasterxml.woodstox

Apache License 2.0

6.2.6

6.2.7

ArtifactId

GroupId

License

Version in 3.4.10

Version in 3.4.11

javax.annotation-api

javax.annotation

CDDL/GPLv2+CE

1.3.2

(error)

jackson-databind

com.fasterxml.jackson.core

Apache License 2.0

2.13.2

2.13.2.1

jaxb-runtime

org.glassfish.jaxb

Eclipse Public License - v 1.0

2.3.5

2.3.6

jboss-logging

org.jboss.logging

Apache License 2.0

3.4.2.Final

3.4.3.Final

jul-to-slf4j

org.slf4j

MIT License

1.7.32

1.7.36

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

logback-classic

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

logback-core

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

slf4j-api

org.slf4j

MIT License

1.7.32

1.7.36

spring-amqp

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-aop

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-beans

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-boot

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-autoconfigure

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-aop

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-json

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-logging

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-security

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-web

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-context

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-core

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-data-commons

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-expression

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jcl

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jdbc

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-messaging

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-orm

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-rabbit

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-retry

org.springframework.retry

Apache License 2.0

1.3.1

1.3.2

spring-security-config

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-core

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-crypto

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-web

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-tx

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-web

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-webmvc

org.springframework

Apache License 2.0

5.3.14

5.3.18

txw2

org.glassfish.jaxb

Eclipse Public License - v 1.0

2.3.5

2.3.6

ArtifactId

GroupId

License

Version in 1.4.9

Version in 1.4.10

javax.annotation-api

javax.annotation

CDDL/GPLv2+CE

1.3.2

(error)

jackson-databind

com.fasterxml.jackson.core

Apache License 2.0

2.13.2

2.13.2.1

jul-to-slf4j

org.slf4j

MIT License

1.7.32

1.7.36

log4j-api

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

log4j-to-slf4j

org.apache.logging.log4j

Apache License 2.0

2.17.1

2.17.2

logback-classic

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

logback-core

ch.qos.logback

Eclipse Public License - v 1.0

1.2.9

1.2.11

slf4j-api

org.slf4j

MIT License

1.7.32

1.7.36

spring-amqp

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-aop

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-beans

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-boot

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-autoconfigure

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-aop

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-logging

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-boot-starter-security

org.springframework.boot

Apache License 2.0

2.5.8

2.5.12

spring-context

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-core

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-data-commons

org.springframework.data

Apache License 2.0

2.5.7

2.5.10

spring-data-mongodb

org.springframework.data

Apache License 2.0

3.2.7

3.2.10

spring-expression

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-jcl

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-messaging

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-rabbit

org.springframework.amqp

Apache License 2.0

2.3.13

2.3.15

spring-retry

org.springframework.retry

Apache License 2.0

1.3.1

1.3.2

spring-security-config

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-core

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-crypto

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-security-web

org.springframework.security

Apache License 2.0

5.5.4

5.5.5

spring-tx

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-web

org.springframework

Apache License 2.0

5.3.14

5.3.18

spring-webmvc

org.springframework

Apache License 2.0

5.3.14

5.3.18

5. Retirement announcement

There are no specific retirement announcements.

For a full list of deprecated features, go to Deprecated features.

6. Bug fixes

Identifier

Component

Issue

Solution

BQ-15678

Customer Data Service, DCM Lists Service, JAVA Runtime

With this issue it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
In Blueriq, user input is sanitized and such input is never used by the out-of-the-box functionality to create SpEL expressions. Meaning Blueriq is not affected by this CVE.

The fix provided in the Spring Framework is applied to Blueriq 14 and 13 by upgrading Spring Framework to a newer patch version. For other Blueriq versions no patch is provided by the Spring Framework.

BQ-15586

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2022-22965 was found. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

Fixed by upgrading spring framework to newer patch versions

BQ-15505

Customer Data Service, DCM Lists Service, JAVA Runtime

CVE-2020-36518 was detected on jackson-databind before 2.13.2.1

Fixed by upgrading to the latest version of jackson-databind which does not contain the vulnerability.

7. Known issues

For an overview of known issue please refer to: Known issues