While documenting the changes in BigFix Inventory 10.0.3, we noticed that the Security Enhancements section is different between the forum.bigfix.com release notes, the help.hcltechsw.com release notes, and the support.bigfix.com release notes. This section is especially important as the criticality of security enhancements dictates much of the pace of our change control process.
We especially would like to clarify whether icu4j was upgraded (per the help.hcltechsw.com notes) or log4j (per the support.bigfix.com notes), or both, or neither.
For reference:
https://forum.bigfix.com/t/bigfix-inventory-application-update-10-0-3-0-published-2020-12-10/36396
Security enhancements
o WebSphere Application Server Liberty is upgraded to version 20.0.0.11
o Several libraries including Rails are upgraded
o Suggested updates to server configuration added in Security chapter in user documentation
https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/overview/c_what_is_new.html
Security enhancements
To maintain security, the following selected components and libraries were updated:
Rails upgraded to version 5.2.4.4
Upgraded icu4j libraries to supported version
WebSphere Application Server Liberty is upgraded to version 20.0.0.11
Changed Websphere configuration to use TLS 1.2 by default for fresh installation. For existing and upgraded BigFix Inventory installations, manual configuration is required. For more information, refer to Enabling secure communication.
Addressed the security vulnerability of SSO login by implementing secure SSL cookie. For more details, refer to the Knowledge Base article.
https://support.bigfix.com/bfi/BigFix-Inventory-10.0.3.0-ReleaseNotes.pdf
Security enhancements
To maintain security, the following selected components and libraries were updated.
• Rails upgraded to version 5.2.4.4 - CVE-2020-15169
• WebSphere Liberty upgraded to 20.0.0.11 - CVE-2020-10693, CVE-2020-4590
• Changed WebSphere configuration to always use TLS 1.2 and secure ciphers for the fresh BigFix inventory installations. Manual configuration is required for the existing and upgraded BigFix Inventory installations. Details can be found in documentation.
• Log4j upgraded to version 2.13.3 - CVE-2019-17571, CVE-2020-9488
Could we please get some clarification on which of these sets of security enhancements is the accurate one, especially in regards to icu4j vs. log4j? And would it be too much to ask for more consistency across all release announcements in the future?
Thanks!