SECURITY - Fixes as of October 2020

Ryan Carrie shared this announcement 39 days ago

Yellowfin has released a number of Security fixes and enhancements, available in our current releases.  These are available in the following versions.

8.0.7

9.3

Security Fixes / Enhancements:

Add auditing Events for when User Roles are manipulated with the application
Added a new feature that users registered in the application must update their password on a timely basis
Changes to support SameSite for the JSESSIONID Cookie, in fresh installs and upgrades.
Fixed an issue that broke View security of report's sub-query
Improved text widget security against XSS attacks
Patch persistence XSS vulnerabilities in the dashboard builder.
Prevent the paths within the Appserver directory structure from being used for Save To Disk targets
Resolve a path traversal issue when using Save To Disk broadcasts.
Resolved an issue where a Dashboards' "Used By" list contained Client Org users, after distributing within the Primary Org.

Additionally, we have made a number of library upgrades:

upgrade Jquery library to version 3.5.1
Upgraded Apache POI library to version 4.1.2
Upgraded Apache Tomcat to Version 9.0.37 for new installs
Upgraded commons-fileupload to version 1.4
Upgraded Google Guava Library to to version 29.0
Upgraded JasperReports library to version 6.13.0
Upgraded JAX-WS webservices framework to version 2.3.3
Upgraded JGroups communication library to version 4.2.4.
Upgraded Postgresql JDBC driver to 42.2.14
Upgraded snakeyaml to version 1.26
Upgraded Spring framework libraries from 5.1.4 to 5.2.7.
Removed Restlet libraries

Please visit the Yellowfin portal to access these releases, and subscribe to announcements via RSS for future Security Notices, as detailed here.

Be sure to review our best practices for performing a Yellowfin upgrade prior to making any changes to your environment.