While documenting the changes in BigFix Inventory 10.0.3, we noticed that the Security Enhancements section is different between the forum.bigfix.com release notes, the help.hcltechsw.com release notes, and the support.bigfix.com release notes. This section is especially important as the criticality of security enhancements dictates much of the pace of our change control process.
We especially would like to clarify whether icu4j was upgraded (per the help.hcltechsw.com notes) or log4j (per the support.bigfix.com notes), or both, or neither.
o WebSphere Application Server Liberty is upgraded to version 22.214.171.124
o Several libraries including Rails are upgraded
o Suggested updates to server configuration added in Security chapter in user documentation
To maintain security, the following selected components and libraries were updated:
Rails upgraded to version 126.96.36.199
Upgraded icu4j libraries to supported version
WebSphere Application Server Liberty is upgraded to version 188.8.131.52
Changed Websphere configuration to use TLS 1.2 by default for fresh installation. For existing and upgraded BigFix Inventory installations, manual configuration is required. For more information, refer to Enabling secure communication.
Addressed the security vulnerability of SSO login by implementing secure SSL cookie. For more details, refer to the Knowledge Base article.
To maintain security, the following selected components and libraries were updated.
• Rails upgraded to version 184.108.40.206 - CVE-2020-15169
• WebSphere Liberty upgraded to 220.127.116.11 - CVE-2020-10693, CVE-2020-4590
• Changed WebSphere configuration to always use TLS 1.2 and secure ciphers for the fresh BigFix inventory installations. Manual configuration is required for the existing and upgraded BigFix Inventory installations. Details can be found in documentation.
• Log4j upgraded to version 2.13.3 - CVE-2019-17571, CVE-2020-9488
Could we please get some clarification on which of these sets of security enhancements is the accurate one, especially in regards to icu4j vs. log4j? And would it be too much to ask for more consistency across all release announcements in the future?