Note

Rhino Element Manager 3.0 adds support for Java 11 and Rhino 3.0.0.

Version 3.0.0.4
13 September 2022

Log4j 2 CVE-2021-44228

Updated Log4j 2 dependency to v2.17.0 in response to recent CVEs.

For background, please refer to: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Rhino and Rhino Element Manager (REM) versions 2.6.0.x, 2.6.1.x, 2.6.2.x, 2.7.0.x, and 3.0.0.x all depend on Log4j 2.

These releases all ship with default log patterns which include the use of %m{nolookups}. While originally included in the defaults for performance reasons, the inclusion of %m{nolookups} is also described as a "temporary mitigation" in some relevant security commentary, for example https://www.lunasec.io/docs/blog/log4j-zero-day/

As far as Rhino is concerned, internal testing has determined that even when the default logging configuration is modified to remove the %m{nolookups} pattern, no external lookups are possible via JNDI remote classloading.

Rhino uses JNDI to implement JSLEE specification requirements, and as such provides its own custom implementation of InitialContextFactory by specifying the java.naming.factory.initial setting in an embedded jndi.properties file. The JNDI contexts provided by this factory do not provide an LDAP lookup facility.

As a consequence of the custom JNDI contexts provided, Rhino is not thought to be vulnerable to any exploits of this nature.

Unlike Rhino, REM does not use a custom InitialContextFactory and will therefore be vulnerable if {nolookups} is removed from the default logging pattern.

Note that in addition to CVE-2021-44228, there are other CVEs fixed by updating to Log4j v2.17.0.

Accordingly, all releases of Rhino and REM that include Log4j 2 are being released with this updated Log4j dependency.

All releases prior to 2.6.0.x do not use Log4j 2, and therefore do not contain this vulnerability.

Version 3.0.0.3
17 December 2021

Fixes

  • Fixed state checks to only query symmetric activation state mode when managing Rhino versions that support the symmetric activation state toggle. Rhino 3.0.0 uses a new state management model that combines the features of symmetric and per-node activation state. (EMS-1218)

  • Fixed JMX connection (and JMX client heartbeat thread) leak. This would occur when there was an active stats monitoring session and the underlying Rhino connection was reconnected by REM due to a temporary connection problem. (EMS-1221)

Version 3.0.0.1
05 October 2020

Improvements

  • Updates to support running under Java 11. Previous Java versions are no longer supported.

  • Include a template ldapauth.properties file to allow configuring LDAP. (EMS-1206)

  • Added support for displaying, creating, and updating stats-based limiters. (EMS-1198)

  • Updated bundled Jetty server to version 9.4.28. (VOLTE-9131)

  • Refactored developer mode for the REM SDK to work for Java 11 and the updated version of Jetty. The embedded Jetty in GWT developer mode has been replaced by a separate Jetty server instance. (EMS-1201)

Fixes

  • Removed an outdated link for sending feedback from the Tools menu and documentation. If you have any feedback about REM, please contact your Metaswitch Customer Care Representative. (EMS-1202)

  • Fixed exception handling in profile service that could sometimes leave ProfileMBeans open in the connected Rhino instance, blocking further updates to the profile by management clients. (EMS-1199)

  • Validate the authentication token in user/role management server calls. These functions are not visible to regular users in the UI, and this prevents a user from creating a specially crafted request to invoke them directly. (EMS-1204)

Version 2.7.0.2
08 June 2019

New features

  • Added REST API support for adding single servers, and creating the instance if it does not yet exist. (EMS-1195)

Bug fixes

  • Fixed exception handling in profile service that could sometimes leave ProfileMBeans open in the connected Rhino instance, blocking further updates to the profile by management clients. (EMS-1199)


Version 2.6.2.1
03 September 2019

Bug fixes

  • Fixed scrolling on scattercast management page. (EMS-1190)

Version 2.6.2.0
22 February 2019

Bug fixes

  • Fixed issue with monitoring instances where, if any node was unreachable, no instances would be shown. (EMS-1185)

New features

  • Added support for dynamic field values in the REM SDK form framework. (EMS-1186)

Improvements

  • Added hint to fields that offer suggested values. (VOLTE-7206)

Other changes

  • Removed ability to inspect non-resident activities and SBBs. (EMS-1187)

Version 2.6.1.2
07 December 2018

Bug fixes

  • Fixed an issue where trying to set invalid RA config resulted in a 500 error rather than reporting invalid argument. (VOLTE-6598)

Deployment and dependency changes

  • Upgraded Guava to 16.0.1.

  • Upgraded slf4j to 1.7.7.

Version 2.6.1.1
23 June 2018

New features

  • Added support for new replication features in Rhino 2.6.1: (EMS-1155)

    • per-namespace session ownership and replication resource

    • replication selectors for services

    • inspecting non-resident activities and SBBs

    • persistence instances using Apache Cassandra

Version 2.6.0.1
26 April 2018

New features

  • Added a new SAS management page for managing SAS configuration and mappings. (EMS-1105)

  • Replaced the logging configuration page with a new page to support Rhino’s new logging framework. (EMS-1118)

Version 1.5.0.3
21 December 2016

This version does not contain any functional changes. It has minor changes required by other products.

Version 1.5.0.2
14 December 2016

Bug fixes

  • Fixed REM plugin RMI class loader issues when running REM on Apache Tomcat version 8 or newer. (EMS-1052)

  • Fixed IllegalArgumentException when subscribed to a stats distribution with no samples. (EMS-1042)

  • Fixed a server-side memory leak of EventBus registrations in the service handling requests from the embedded rhino-console in REM. (EMS-1050)

  • Fixed resizing of embedded rhino-console that was being slightly miscalculated on some browsers. (EMS-1040)

  • Fixed the scattercast management screen to allow endpoints to be added after editing another endpoint. (EMS-1064)

  • Fixed rule details being reset to wrong values after updating threshold rule configuration. (EMS-1037)

  • Fixed an issue where adding more than one user would incorrectly disable the user text fields. (EMS-914)

Improvements

  • Added support for plugins to depend on other plugins. (EMS-1072)

  • Improved thread safety of shared Rhino connections. (EMS-1031)

  • Uploading certificates now uses the same authentication mechanism as other REM requests. (EMS-946)

  • Changed keyboard shortcut for showing REM client-side debug log from Ctrl+` to Ctrl+Alt+` to avoid clash with existing Firefox shortcut. (EMS-862)

  • Added restart function to SLEE State screen. (EMS-974)

  • Added tool to update REM database schema. (EMS-1039)

  • Allow scattercast endpoints to have ports assigned automatically. (EMS-1045)

  • Allow multiple scattercast endpoints to be updated at once. (EMS-1046)

Version 1.5.0.0
31 October 2016

Deployment and dependency changes

  • The bundled Jetty server has been updated to version 9.3.12.v20160915.
    This version of Jetty requires Java 1.8 to run. (EMS-934)

New features

  • Added a new plugin framework allowing REM plugins to be loaded from outside the web application and run in isolation from other plugins. (EMS-964)

  • Added screens to manage persistence configuration for Rhino 2.5. (EMS-942)

  • Added support for scattercast management operations. (EMS-941)

  • Added support for symmetric component activation state management in Rhino 2.5. (EMS-960)

Improvements

  • Components that are linked or shadowed are now indicated as such on all REM screens. (EMS-931)

Bug fixes

  • Rhino instance ID is now required to be unique. (EMS-947)

  • The SNMP configuration page no longer tries to load and display all the OID mappings at once, so it is now usable when there is a large number of them. (EMS-949)

  • Fixed REMLink SDK UI component not working as intended since switch to SuperDevMode. (EMS-968)