3.1.9 - 2024-10-17
Improvements
-
Update UI to assist accessibility. (#896033)
-
add description tags to UI components
-
add horizontal scrollbar to multiple panels
-
update colours to improve contrast
-
adjust fonts, log panel, main menu layout based on width of screen
-
-
Additional validation of paths within archives when installing plugins to ensure extracted files remain within the intended plugin directory. (#1535945)
-
Add validation of redirect URLs in SSO authenticator. (#1535945)
-
Add validation of request parameters in SSO authenticator. (#1535945)
Fixes
-
Fixed a
NullPointerException
that could occur when cleaning up log sessions for a previous login session if logs were not actually obtainable, e.g. the polled memory appender was not configured in Rhino. (#1594349) -
Fixed a
NullPointerException
that occurred when trying to monitor tracers when they weren’t obtainable, e.g. the polled memory appender was not configured in Rhino. Changed the error reporting behaviour of the Tracing monitoring panel to be the same as the Logging monitoring panel, and also changed both panels to redisplay any error on each start/stop monitoring cycle, rather than only on a change in an error condition. (#1594407) -
Added the missing system type and system version configuration properties to the SAS configuration panel, which must be set to a valid value before SAS tracing can be enabled. (#1598178)
-
Added additional JVM args to the REM start scripts needed for correct functionality when using Java 17. (#1548220)
Dependencies
-
All open source libraries used by this application have been updated to the latest available version.
3.1.8 - 2023-07-17
Improvements
-
Renamed the "Pools" configuration screen to "Object Pools" for clarity. (#378598)
Fixes
-
Fixed a
NotSerializableException
logged to the console after navigating to the statistics monitoring screen. (#378598)
3.1.7 - 2023-01-25
Fixes
-
Added support for displaying OID Suffix Mapping Descriptor components in the deployment list, and fixed UI hang when components of an unknown type in general are encountered. (#339908)
3.1.5 - 2022-08-08
Improvements
-
Added stricter Content-Security-Policy rules and other security-related headers. (#233417)
Fixes
-
Fixed
findlongrunningtransactions
console command in the embedded Rhino console to work correctly when connecting to Rhino 3.0.0. (#183359) -
Fixed encrypted properties password generation to work on wider range of shells and sed implementations. (#259506)
-
Fixed race condition in the transactions inspection panel during initialisation. (Task #223762)
3.1.4 - 2022-06-20
Release versions now have three components, not four. This release adds support for Rhino 3.1. |
New features
-
The HTTP resource adaptor now uses static OIDs for SNMP. For more information see Static OID introduction in the Rhino documentation.
New features
-
Added configuration parameters for setting the path and password for the truststore containing Rhino server certificates. These are configured in a properties file with the password entry encrypted. The location of the properties file and the encryption password are configurable. (EMS-1205)
Improvements
-
Added an example ldapauth.properties file to demonstrate LDAP based authentication configuration. (EMS-1206)
-
User password hash is no longer sent as part of user details during GWT RPC serialization. (EMS-1210)
-
Improved resilience against Clickjacking attacks by denying display of the REM homepage in frames. (EMS-1212)
Dependencies
-
All open source libraries used by this resource adaptor have been updated to the latest available version.
Other changes
-
CustomProxyCreator re-implemented. ClientProxySuperclass and CustomSerializableRoots annotations removed. Custom REM plugins should remove these annotations (and related imports) from *Service classes. (EMS-1217)
3.0.0.4 - 2021-12-20
Log4j 2 CVE-2021-44228
Updated Log4j 2 dependency to v2.17.0 in response to recent CVEs.
For background, please refer to: https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Rhino and Rhino Element Manager (REM) versions 2.6.0.x, 2.6.1.x, 2.6.2.x, 2.7.0.x, and 3.0.0.x all depend on Log4j 2.
These releases all ship with default log patterns which include the use of %m{nolookups}
. While originally included in the defaults for performance reasons, the inclusion of %m{nolookups}
is also described as a "temporary mitigation" in some relevant security commentary, for example https://www.lunasec.io/docs/blog/log4j-zero-day/
As far as Rhino is concerned, internal testing has determined that even when the default logging configuration is modified to remove the %m{nolookups}
pattern, no external lookups are possible via JNDI remote classloading.
Rhino uses JNDI to implement JSLEE specification requirements, and as such provides its own custom implementation of InitialContextFactory
by specifying the java.naming.factory.initial
setting in an embedded jndi.properties
file. The JNDI contexts provided by this factory do not provide an LDAP lookup facility.
As a consequence of the custom JNDI contexts provided, Rhino is not thought to be vulnerable to any exploits of this nature.
Unlike Rhino, REM does not use a custom InitialContextFactory
and will therefore be vulnerable if {nolookups}
is removed from the default logging pattern.
Note that in addition to CVE-2021-44228, there are other CVEs fixed by updating to Log4j v2.17.0.
Accordingly, all releases of Rhino and REM that include Log4j 2 are being released with this updated Log4j dependency.
All releases prior to 2.6.0.x do not use Log4j 2, and therefore do not contain this vulnerability.
3.0.0.3 - 2021-12-17
Fixes
-
Fixed state checks to only query symmetric activation state mode when managing Rhino versions that support the symmetric activation state toggle. Rhino 3.0.0 uses a new state management model that combines the features of symmetric and per-node activation state. (EMS-1218)
-
Fixed JMX connection (and JMX client heartbeat thread) leak. This would occur when there was an active stats monitoring session and the underlying Rhino connection was reconnected by REM due to a temporary connection problem. (EMS-1221)
3.0.0.1 - 2020-10-05
Rhino Element Manager 3.0 adds support for Java 11 and Rhino 3.0.0.
Improvements
-
Updates to support running under Java 11. Previous Java versions are no longer supported.
-
Include a template ldapauth.properties file to allow configuring LDAP. (EMS-1206)
-
Added support for displaying, creating, and updating stats-based limiters. (EMS-1198)
-
Updated bundled Jetty server to version 9.4.28. (VOLTE-9131)
-
Refactored developer mode for the REM SDK to work for Java 11 and the updated version of Jetty. The embedded Jetty in GWT developer mode has been replaced by a separate Jetty server instance. (EMS-1201)
Fixes
-
Removed an outdated link for sending feedback from the Tools menu and documentation. If you have any feedback about REM, please contact your Metaswitch Customer Care Representative. (EMS-1202)
-
Fixed exception handling in profile service that could sometimes leave ProfileMBeans open in the connected Rhino instance, blocking further updates to the profile by management clients. (EMS-1199)
-
Validate the authentication token in user/role management server calls. These functions are not visible to regular users in the UI, and this prevents a user from creating a specially crafted request to invoke them directly. (EMS-1204)
2.7.0.2 - 2020-06-08
New features
-
Added REST API support for adding single servers, and creating the instance if it does not yet exist. (EMS-1195)
Bug fixes
-
Fixed exception handling in profile service that could sometimes leave ProfileMBeans open in the connected Rhino instance, blocking further updates to the profile by management clients. (EMS-1199)
2.6.2.0 - 2019-02-20
Bug fixes
-
Fixed issue with monitoring instances where, if any node was unreachable, no instances would be shown. (EMS-1185)
New features
-
Added support for dynamic field values in the REM SDK form framework. (EMS-1186)
Improvements
-
Added hint to fields that offer suggested values. (VOLTE-7206)
Other changes
-
Removed ability to inspect non-resident activities and SBBs. (EMS-1187)
2.6.1.2 - 2018-10-30
Bug fixes
-
Fixed an issue where trying to set invalid RA config resulted in a 500 error rather than reporting invalid argument. (VOLTE-6598)
Dependencies
-
Upgraded Guava to 16.0.1.
-
Upgraded slf4j to 1.7.7.
2.6.1.1 - 2018-06-07
New features
-
Added support for new replication features in Rhino 2.6.1: (EMS-1155)
-
per-namespace session ownership and replication resource
-
replication selectors for services
-
inspecting non-resident activities and SBBs
-
persistence instances using Apache Cassandra
-
2.6.0.1 - 2018-04-26
New features
-
Added a new SAS management page for managing SAS configuration and mappings. (EMS-1105)
-
Replaced the logging configuration page with a new page to support Rhino’s new logging framework. (EMS-1118)
1.5.0.3 - 2016-12-21
This version does not contain any functional changes. It has minor changes required by other products.
1.5.0.2 - 2016-12-14
Bug fixes
-
Fixed REM plugin RMI class loader issues when running REM on Apache Tomcat version 8 or newer. (EMS-1052)
-
Fixed IllegalArgumentException when subscribed to a stats distribution with no samples. (EMS-1042)
-
Fixed a server-side memory leak of EventBus registrations in the service handling requests from the embedded rhino-console in REM. (EMS-1050)
-
Fixed resizing of embedded rhino-console that was being slightly miscalculated on some browsers. (EMS-1040)
-
Fixed the scattercast management screen to allow endpoints to be added after editing another endpoint. (EMS-1064)
-
Fixed rule details being reset to wrong values after updating threshold rule configuration. (EMS-1037)
-
Fixed an issue where adding more than one user would incorrectly disable the user text fields. (EMS-914)
Improvements
-
Added support for plugins to depend on other plugins. (EMS-1072)
-
Improved thread safety of shared Rhino connections. (EMS-1031)
-
Uploading certificates now uses the same authentication mechanism as other REM requests. (EMS-946)
-
Changed keyboard shortcut for showing REM client-side debug log from Ctrl+` to Ctrl+Alt+` to avoid clash with existing Firefox shortcut. (EMS-862)
-
Added restart function to SLEE State screen. (EMS-974)
-
Added tool to update REM database schema. (EMS-1039)
-
Allow scattercast endpoints to have ports assigned automatically. (EMS-1045)
-
Allow multiple scattercast endpoints to be updated at once. (EMS-1046)
1.5.0.0 - 2016-10-28
Dependencies
-
The bundled Jetty server has been updated to version 9.3.12.v20160915.
This version of Jetty requires Java 1.8 to run. (EMS-934)
New features
-
Added a new plugin framework allowing REM plugins to be loaded from outside the web application and run in isolation from other plugins. (EMS-964)
-
Added screens to manage persistence configuration for Rhino 2.5. (EMS-942)
-
Added support for scattercast management operations. (EMS-941)
-
Added support for symmetric component activation state management in Rhino 2.5. (EMS-960)
Improvements
-
Components that are linked or shadowed are now indicated as such on all REM screens. (EMS-931)
Bug fixes
-
Rhino instance ID is now required to be unique. (EMS-947)
-
The SNMP configuration page no longer tries to load and display all the OID mappings at once, so it is now usable when there is a large number of them. (EMS-949)
-
Fixed REMLink SDK UI component not working as intended since switch to SuperDevMode. (EMS-968)