Software Update for V.2022.02
Software Update for V.2022.02
As necessary, Archibus makes software updates available to released Archibus products. Updates have been fully tested by Archibus Development.
You can download this update from the "Software Downloads" section of:
-
Archibus Support Site: https://archibus.zendesk.com/hc/en-us
-
Allbound: https://eptura.allbound.com/learn/archibus-v-2022-02-downloads/
Archibus V2022.02.01.106 Update
The webcentral-2022.02.01.106.war (Archibus V2022.02.01.106) addresses several security issues:
-
BIRT Support Removed. BIRT 4.8.0 has high-severity security vulnerabilities. The update removes BIRT. Custom flexible reporting options are being evaluated for a future release. (AD-9575) (CVE-2020-10683, CVE-2018-1000632, CVE-2014-3574, CVE-2014-3529, CVE-2019-12415, CVE-2019-12415, CVE-2018-1320)
-
SQL Commands . Resolve issues with DWR requests containing SQL commands. If modified, these commands could allow attackers to interact directly with the database. (AD-7844)
-
Spring Framework. Binding rules bypass issue with Spring-context-5.3.18.jar . Upgraded to spring-context-5.3.19.jar to resolve. (AD-9671) (CVE-2022-22968)
-
Moment . /schema/ab-products/essential/dev/workplace/node_modules/moment was vulnerable to path traversal. Upgraded to moment 2.29.3 to resolve. (AD-9644) (CVE-2022-24785, CVE-2022-24785)
-
Minimist . /schema/ab-products/essential/dev/workplace/node_modules/minimist was vulnerable to prototype pollution. Upgraded to minimist 1.2.6 to resolve. (AD-9470) (CVE-2021-44906)
-
Stored Cross-Site Scripting . Resolved issues to prevent cross-site scripting. (AD-8486)
-
Signature Verification Bypass . Signature verification issues were found with nimbus-jose-jwt-9.8.1.jar. Upgraded to 9.22 to resolve. ( AD-9797) (CVE-2022-21449)