Rhino Element Manager 2.6.2 adds support for Rhino 2.6.2, and is also compatible with Rhino 2.3, 2.4, 2.5, 2.6.0, and 2.6.1 instances. (The Rhino Element Manager version number now reflects the Rhino version it supports.) |
Version 2.6.2.4
22 December 2021
Log4j 2 CVE-2021-44228
Updated Log4j 2 dependency to v2.17.0 in response to recent CVEs.
For background, please refer to: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Rhino and Rhino Element Manager (REM) versions 2.6.0.x, 2.6.1.x, 2.6.2.x, 2.7.0.x, and 3.0.0.x all depend on Log4j 2.
These releases all ship with default log patterns which include the use of %m{nolookups}
. While originally included in the defaults for performance reasons, the inclusion of %m{nolookups}
is also described as a "temporary mitigation" in some relevant security commentary, for example https://www.lunasec.io/docs/blog/log4j-zero-day/
As far as Rhino is concerned, internal testing has determined that even when the default logging configuration is modified to remove the %m{nolookups}
pattern, no external lookups are possible via JNDI remote classloading.
Rhino uses JNDI to implement JSLEE specification requirements, and as such provides its own custom implementation of InitialContextFactory
by specifying the java.naming.factory.initial
setting in an embedded jndi.properties
file. The JNDI contexts provided by this factory do not provide an LDAP lookup facility.
As a consequence of the custom JNDI contexts provided, Rhino is not thought to be vulnerable to any exploits of this nature.
Unlike Rhino, REM does not use a custom InitialContextFactory
and will therefore be vulnerable if {nolookups}
is removed from the default logging pattern.
Note that in addition to CVE-2021-44228, there are other CVEs fixed by updating to Log4j v2.17.0.
Accordingly, all releases of Rhino and REM that include Log4j 2 are being released with this updated Log4j dependency.
All releases prior to 2.6.0.x do not use Log4j 2, and therefore do not contain this vulnerability.
Bug fix
-
Validate the authentication token in user/role management server calls. These functions are not visible to regular users in the UI, and this prevents a user from creating a specially crafted request to invoke them directly. (EMS-1204)
Version 2.6.2.2
20 February 2020
Bug fix
-
Fixed exception handling in profile service that could sometimes leave ProfileMBeans open in the connected Rhino instance, blocking further updates to the profile by management clients (EMS-1199)
Version 2.6.2.1
29 July 2019
Bug fix
-
Fixed scrolling on scattercast management page. (EMS-1190)
Version 2.6.2.0
22 February 2019
Bug fixes
-
Fixed issue with monitoring instances where, if any node was unreachable, no instances would be shown. (EMS-1185)
New features
-
Added support for dynamic field values in the REM SDK form framework. (EMS-1186)
Improvements
-
Added hint to fields that offer suggested values. (VOLTE-7206)
Other changes
-
Removed ability to inspect non-resident activities and SBBs. (EMS-1187)
Version 2.6.1.2
07 December 2018
Bug fixes
-
Fixed an issue where trying to set invalid RA config resulted in a 500 error rather than reporting invalid argument. (VOLTE-6598)
Deployment and dependency changes
-
Upgraded Guava to 16.0.1.
-
Upgraded slf4j to 1.7.7.
Version 2.6.1.1
23 June 2018
New features
-
Added support for new replication features in Rhino 2.6.1: (EMS-1155)
-
per-namespace session ownership and replication resource
-
replication selectors for services
-
inspecting non-resident activities and SBBs
-
persistence instances using Apache Cassandra
-
Version 2.6.0.1
26 April 2018
New features
-
Added a new SAS management page for managing SAS configuration and mappings. (EMS-1105)
-
Replaced the logging configuration page with a new page to support Rhino’s new logging framework. (EMS-1118)
Version 1.5.0.3
21 December 2016
This version does not contain any functional changes. It has minor changes required by other products.
Version 1.5.0.2
14 December 2016
Bug fixes
-
Fixed REM plugin RMI class loader issues when running REM on Apache Tomcat version 8 or newer. (EMS-1052)
-
Fixed IllegalArgumentException when subscribed to a stats distribution with no samples. (EMS-1042)
-
Fixed a server-side memory leak of EventBus registrations in the service handling requests from the embedded rhino-console in REM. (EMS-1050)
-
Fixed resizing of embedded rhino-console that was being slightly miscalculated on some browsers. (EMS-1040)
-
Fixed the scattercast management screen to allow endpoints to be added after editing another endpoint. (EMS-1064)
-
Fixed rule details being reset to wrong values after updating threshold rule configuration. (EMS-1037)
-
Fixed an issue where adding more than one user would incorrectly disable the user text fields. (EMS-914)
Improvements
-
Added support for plugins to depend on other plugins. (EMS-1072)
-
Improved thread safety of shared Rhino connections. (EMS-1031)
-
Uploading certificates now uses the same authentication mechanism as other REM requests. (EMS-946)
-
Changed keyboard shortcut for showing REM client-side debug log from Ctrl+` to Ctrl+Alt+` to avoid clash with existing Firefox shortcut. (EMS-862)
-
Added restart function to SLEE State screen. (EMS-974)
-
Added tool to update REM database schema. (EMS-1039)
-
Allow scattercast endpoints to have ports assigned automatically. (EMS-1045)
-
Allow multiple scattercast endpoints to be updated at once. (EMS-1046)
Version 1.5.0.0
31 October 2016
Deployment and dependency changes
-
The bundled Jetty server has been updated to version 9.3.12.v20160915.
This version of Jetty requires Java 1.8 to run. (EMS-934)
New features
-
Added a new plugin framework allowing REM plugins to be loaded from outside the web application and run in isolation from other plugins. (EMS-964)
-
Added screens to manage persistence configuration for Rhino 2.5. (EMS-942)
-
Added support for scattercast management operations. (EMS-941)
-
Added support for symmetric component activation state management in Rhino 2.5. (EMS-960)
Improvements
-
Components that are linked or shadowed are now indicated as such on all REM screens. (EMS-931)
Bug fixes
-
Rhino instance ID is now required to be unique. (EMS-947)
-
The SNMP configuration page no longer tries to load and display all the OID mappings at once, so it is now usable when there is a large number of them. (EMS-949)
-
Fixed REMLink SDK UI component not working as intended since switch to SuperDevMode. (EMS-968)