Versions Compared

Old Version 17

changes.mady.by.user Megan Ellis

Saved on

compared with

New Version Current

changes.mady.by.user Megan Ellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel1

...

GA Release Matrix

Include Page
frevvosoftwaredl:GA Release Matrix
frevvosoftwaredl:GA Release Matrix


frevvo™ v10.0

Cloud Upgrade: October 31, 2020

On Premise Release: January 18, 2021

v10frevvo v10.0 is a major new release. Please see the Detailed Release Notes for specific version enhancements and tickets fixed. 


Security Vulnerabilities

The following security vulnerabilities have been addressed as follows:

  • Man in the middle - This has to do with executing the CGI Servlet. This servlet is disabled in the frevvo Apache tomcat distribution. Customers who choose to enable the servlet are responsible for ensuring security viz. adding filter etc.

  • Version Disclosures - Resolved by configuring the ErrorReportValve in \frevvo\tomcat\conf\server.xml file (in the Host section) as described in this Apache tomcat website. The parameter that needs to be modified is:

    Code Block
    <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>


  • X-Frame-Options Header Not Set - Resolved by modification at the tomcat level. In-house customers can uncomment the HttpHeaderSecurityFilter provided in the tomcat web.xml. The filter is documented here. Specify the appropriate X-Frame-Options value in the antiClickJackingOption parameter - (SAMEORIGIN or ALLOW-FROM).

    Warning
    Setting this parameter to SAMEORIGIN may interfere when embedding frevvo forms/flows in your website. Use ALLOW-FROM instead.

    Click the appropriate link below for filter examples.

    Code Block
    titleExample of filter with SAMEORIGIN
    collapsetrue
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
		<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>SAMEORIGIN</param-value>
		</init-param>
        <async-supported>true</async-supported>
</filter>

<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>


    Code Block
    themeConfluence
    titleExample of filter with ALLOW-FROM for embedded forms
    collapsetrue
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
		<init-param>
			<param-name>antiClickJackingOption</param-name>
			<param-value>ALLOW-FROM</param-value>
		</init-param>
		<init-param> 
            <param-name>antiClickJackingUri</param-name> 
            <param-value> http://example.com:80/*</param-value> 
        </init-param>
        <async-supported>true</async-supported>
</filter>

<filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
</filter-mapping>

  • v10.0.20 Mitigation applied to Address Critical RCE (log4j / solr) Vulnerability Under Exploitation. The SOLR version on will be upgraded in a future release. Security checks may flag this vulnerability based on the version alone; however as long as you are running v10.0.20+ or you have applied the mitigation described in this article, you are not exposed to this vulnerability.