A new update has been released for multiple applications in the WebUI.
Inline Reporting enhancements
There is a new feature to manage commonly accessed inline reports. This includes being able to:
- Save reports to be easily accessed later
- Share reports with other users
Patch Policies
- Now supports Red Hat Enterprise Linux 8
MDM application enhancements
- Added WebUI MDM Healthcheck to get basic health information on a given MCM deployment
- Added auditing for MDM actions, policy creation / editing, and deploying BigFix agents
- Added the ability for users to create Kernel extension whitelisting policies with bundleIDs that had “-” and “_” characters
- Added protections for wipe to only deploy to one device at a time
- Improved error / handling on policy creation / editing pages with more than one panel
- Added additional validation for siteIDs in policy creation / editing
Security vulnerabilities addressed
-
CVE-2018-20834:
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2). -
CVE-2020-4104:
The HCL BigFix Web UI is vulnerable to Stored Cross-site Scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. -
CVE-2020-7598:
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a “constructor” or “proto” payload. -
CVE-2020-7608:
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a “proto” payload.
Defect articles
- KB0078535: BigFix WebUI Query generates multiple files to download
- KB0078553: BigFix WebUI Query Time stamp formatting error
- KB0078554: BigFix WebUI Query generates repeated results
- KB0078555: BigFix WebUI Query generates CSV without separators
- KB0078847: WebUI long login time with deleted Ubuntu 1604 Patch site
- KB0079254: Update documentation for Bigfix integration with SAML login
- KB0079402: Race condition issue during WebUI login
- KB0079898: Patch Policies include patches from sites which were removed from Console
- KB0080002: Missing Content-Type in HTTP responses
- KB0080447: Azure Cloud malfunctioning when there is a failed credential
How to update
WebUI will be updated automatically by default, unless configured otherwise.
Published Versions
WebUI Site Versions:
5 - WebUI API
16 - Application Administration
16 - Patch Policies
56 - Common
6 - WebUI Content App
27 - Custom
10 - WebUI Data Sync
12 - WebUI Framework
2 - Insights
2 - MDM
27 - Patch
6 - WebUI Permissions and Preferences
11 - Profile Management
18 – Query
1 - Reports
28 - Software Distribution
11 - WebUI Take Action
WebUI Documentation link
https://help.hcltechsw.com/bigfix/10.0/webui/index.html
The BigFix WebUI team