Note

Rhino Element Manager 2.6.1 adds support for Rhino 2.6.1, and is also compatible with Rhino 2.3, 2.4, 2.5, and 2.6.0 instances. (The Rhino Element Manager version number now reflects the Rhino version it supports.)

Version 2.6.1.3
22 December 2021

Log4j 2 CVE-2021-44228

Updated Log4j 2 dependency to v2.17.0 in response to recent CVEs.

For background, please refer to: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Rhino and Rhino Element Manager (REM) versions 2.6.0.x, 2.6.1.x, 2.6.2.x, 2.7.0.x, and 3.0.0.x all depend on Log4j 2.

These releases all ship with default log patterns which include the use of %m{nolookups}. While originally included in the defaults for performance reasons, the inclusion of %m{nolookups} is also described as a "temporary mitigation" in some relevant security commentary, for example https://www.lunasec.io/docs/blog/log4j-zero-day/

As far as Rhino is concerned, internal testing has determined that even when the default logging configuration is modified to remove the %m{nolookups} pattern, no external lookups are possible via JNDI remote classloading.

Rhino uses JNDI to implement JSLEE specification requirements, and as such provides its own custom implementation of InitialContextFactory by specifying the java.naming.factory.initial setting in an embedded jndi.properties file. The JNDI contexts provided by this factory do not provide an LDAP lookup facility.

As a consequence of the custom JNDI contexts provided, Rhino is not thought to be vulnerable to any exploits of this nature.

Unlike Rhino, REM does not use a custom InitialContextFactory and will therefore be vulnerable if {nolookups} is removed from the default logging pattern.

Note that in addition to CVE-2021-44228, there are other CVEs fixed by updating to Log4j v2.17.0.

Accordingly, all releases of Rhino and REM that include Log4j 2 are being released with this updated Log4j dependency.

All releases prior to 2.6.0.x do not use Log4j 2, and therefore do not contain this vulnerability.

Bug fixes

  • Fixed an issue where trying to set invalid RA config resulted in a 500 error rather than reporting invalid argument. (VOLTE-6598)

Deployment and dependency changes

  • Upgraded Guava to 16.0.1.

  • Upgraded slf4j to 1.7.7.

Version 2.6.1.1
23 June 2018

New features

  • Added support for new replication features in Rhino 2.6.1: (EMS-1155)

    • per-namespace session ownership and replication resource

    • replication selectors for services

    • inspecting non-resident activities and SBBs

    • persistence instances using Apache Cassandra

Version 2.6.0.1
26 April 2018

New features

  • Added a new SAS management page for managing SAS configuration and mappings. (EMS-1105)

  • Replaced the logging configuration page with a new page to support Rhino’s new logging framework. (EMS-1118)

Version 1.5.0.3
21 December 2016

This version does not contain any functional changes. It has minor changes required by other products.

Version 1.5.0.2
14 December 2016

Bug fixes

  • Fixed REM plugin RMI class loader issues when running REM on Apache Tomcat version 8 or newer. (EMS-1052)

  • Fixed IllegalArgumentException when subscribed to a stats distribution with no samples. (EMS-1042)

  • Fixed a server-side memory leak of EventBus registrations in the service handling requests from the embedded rhino-console in REM. (EMS-1050)

  • Fixed resizing of embedded rhino-console that was being slightly miscalculated on some browsers. (EMS-1040)

  • Fixed the scattercast management screen to allow endpoints to be added after editing another endpoint. (EMS-1064)

  • Fixed rule details being reset to wrong values after updating threshold rule configuration. (EMS-1037)

  • Fixed an issue where adding more than one user would incorrectly disable the user text fields. (EMS-914)

Improvements

  • Added support for plugins to depend on other plugins. (EMS-1072)

  • Improved thread safety of shared Rhino connections. (EMS-1031)

  • Uploading certificates now uses the same authentication mechanism as other REM requests. (EMS-946)

  • Changed keyboard shortcut for showing REM client-side debug log from Ctrl+` to Ctrl+Alt+` to avoid clash with existing Firefox shortcut. (EMS-862)

  • Added restart function to SLEE State screen. (EMS-974)

  • Added tool to update REM database schema. (EMS-1039)

  • Allow scattercast endpoints to have ports assigned automatically. (EMS-1045)

  • Allow multiple scattercast endpoints to be updated at once. (EMS-1046)

Version 1.5.0.0
31 October 2016

Deployment and dependency changes

  • The bundled Jetty server has been updated to version 9.3.12.v20160915.
    This version of Jetty requires Java 1.8 to run. (EMS-934)

New features

  • Added a new plugin framework allowing REM plugins to be loaded from outside the web application and run in isolation from other plugins. (EMS-964)

  • Added screens to manage persistence configuration for Rhino 2.5. (EMS-942)

  • Added support for scattercast management operations. (EMS-941)

  • Added support for symmetric component activation state management in Rhino 2.5. (EMS-960)

Improvements

  • Components that are linked or shadowed are now indicated as such on all REM screens. (EMS-931)

Bug fixes

  • Rhino instance ID is now required to be unique. (EMS-947)

  • The SNMP configuration page no longer tries to load and display all the OID mappings at once, so it is now usable when there is a large number of them. (EMS-949)

  • Fixed REMLink SDK UI component not working as intended since switch to SuperDevMode. (EMS-968)