IMPORTANT - Security Fixes as of March 2020

Ryan Carrie shared this announcement 16 days ago

Yellowfin has released a number of Security fixes and enhancements, available in current releases.  The list below details these, available in:

7.4.13

8.0.5

Security Fixes / Enhancements:

  • 17867: Fixed an issue with cached access filter values on the dashboard - High
  • 17569: Fixed an XSS problem in story editor - High
  • 17539: Fixed a potential XSS problem in Discussion Polls with Thumbs - High
  • 6259: Updated Axis library with security patch - High
  • 16840: Fixed a potential XSS problem in page header URL - High
  • 16580: Prevent File Inclusions with Custom Header or Footer - High
  • 16522: Upgrade Application Server to Tomcat 9.0.29 for new installs. -  Medium
  • 15996: Update Java Mail library to version 1.6.2 - Medium
  • 14935: Address XSS issues on the View Drag'n'Drop page - Medium
  • 10728: Updated Commons Beanutils library to 1.9.4 - Medium
  • 10727: Updated Apache Batik library to version 1.12 - Medium
  • 6260: Updated Bouncycastle to version 1.64 and added PDFBox for securing the generated PDF - Medium
  • 17500: Upgraded Jackson data processor libraries to 2.10.1 - Medium
  • 17480: Fixed the Yellowfin CSRF filter, which was not working properly post Struts-removal. - Medium

Please visit our download page to access these releases, and subscribe to announcements via RSS for future Security Notices, as detailed here.

Tomcat Ghostcat - For those concerned over this recently published vulnerability, Yellowfin has confirmed that Yellowfin deployments are not affected, provided Administrators haven't made alterations to the default configuration files.  For detailed information you can see our article here.

Regards,

The Yellowfin Team.