CM1 5.3 - June 2017 Patch

Patch ID - 5315_20170606

This is a cumulative patch for CM1 5.3 SR1 that includes a blend of customer driven enhancements and defect corrections. This patch includes an Uninstall option to support rollback in the event the Patch introduces a problem or issue. The patch may be downloaded from the Support portal.  For instructions on Installing or Uninstalling the Patch, please review the Patch Readme file.  An updated list of Known Issues can be found and the bottom of this page. 

New Features in this Patch

This patch includes several new capabilities:

Siteimprove Integration

A new Dashboard Gadget has been added that allows Percussion to be configured to notify Siteimprove when pages are published to Staging or Production sites so that they can be re-crawled in real time. 

Widget Improvements

Rich Text Editors

The Rich Text Editor has been updated with several defect corrections.  The Inline Image feature has been updated to make the Alt and Title field required and now includes a Visual indicator that the Image Asset's Alt and Title tag have been overridden in the editor. 

File & HTML Widget

The File & HTML Widget has been enhanced to support an Analytics tag on system generated URLs for customers with advanced analytics requirements for click tracking of File assets. 

Page Autolist Widget

Pagination has been improved in the Page autolist. 

Calendar 2.0 Widget

The Calendar 2.0 Widget has been updated to support a list view. 

Security Updates

Complete List of Issues included in the Patch:

Delivery Tier Services - Tomcat Security Updates

The following security vulnerabilities in the DTS Tomcat are resolved by this patch. 

Important: Information Disclosure CVE-2016-8745

A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, but not limited to, session ID and the response body.

This was fixed in revision 1777471.

Important: Remote Code Execution CVE-2016-8735

The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.

This was fixed in revision 1767676.

Important: Information Disclosure CVE-2016-6816

The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

This was fixed in revision 1767675.

Low: Unrestricted Access to Global Resources CVE-2016-6797

The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

This was fixed in revision 1757275.

Low: Security Manager Bypass CVE-2016-6796

A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

This was fixed in revisions 1758495 and 1763236.

Low: System Property Disclosure CVE-2016-6794

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

This was fixed in revision 1754728.

Low: Security Manager Bypass CVE-2016-5018

A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

This was fixed in revisions 1754902 and 1760309.

Low: Timing Attack CVE-2016-0762

The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

This was fixed in revision 1758502.

Moderate: Denial of Service CVE-2016-3092

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long.

This was fixed in revision 1743742.

Low: Directory disclosure CVE-2015-5345

When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory. The issue also occurred at the root of a web application in which case the presence of the web application was confirmed, even if a user did not have access.

The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect could cause regressions so two new Context configuration options (mapperContextRootRedirectEnabled andmapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. However, due to regressions such as Bug 58765 the default for mapperContextRootRedirectEnabled was later changed to true since it was viewed that the regression was more serious than the security risk associated with being able to determine if a web application was deployed at a given path.

This was fixed in revisions 1715213, 1716860 and 1717212.

Moderate: CSRF token leak CVE-2015-5351

The index page of the Manager and Host Manager applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. If an attacker had access to the Manager or Host Manager applications (typically these applications are only accessible to internal users, not exposed to the Internet), this token could then be used by the attacker to construct a CSRF attack.

This was fixed in revisions 1720661 and 1720663.

Low: Security Manager bypass CVE-2016-0706

This issue only affects users running untrusted web applications under a security manager.

The internal StatusManagerServlet could be loaded by a malicious web application when a security manager was configured. This servlet could then provide the malicious web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications, such as session IDs, to the web application.

This was fixed in revision 1722801.

Moderate: Security Manager bypass CVE-2016-0714

This issue only affects users running untrusted web applications under a security manager.

Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code.

This was fixed in revisions 1726923 and 1727034.

Moderate: Security Manager bypass CVE-2016-0763

This issue only affects users running untrusted web applications under a security manager.

ResourceLinkFactory.setGlobalContext() is a public method and was accessible to web applications even when running under a security manager. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications.

This was fixed in revision 1725931

Low: Session Fixation CVE-2015-5346

When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration.

This was fixed in revision 1713187.

Low: Limited directory traversal CVE-2015-5174

This issue only affects users running untrusted web applications under a security manager.

When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps.

This was fixed in revisions 1696284 and 1700898.

Complete List of Issues Addressed in the Patch

• CMS-79 - IE 11 cannot properly drag widgets to regions
• CMS-2974 - Fixed Viewing Metadata in CM1 on certain pages in non-edit mode freezes dialogue and categories and tags not being populated.
• CMS-2946 - Enhanced File Widget to add optional "Analytics Id" field for user entry
• CMS-3017 - Enhanced Rich Text Widget to handle File Asset analytics tracker tag
• CMS-3018 - Enhanced HTML widget to handle File Asset analytics tracker tag
• CMS-2778 - Added Site Improve Gadget
• CMS-2779 - Added Site Improve Post Edition Task
• CMS-3082 - CM1 5.3 SR1 DTS Tomcat needs updated to 7 update 75
• CMS-2818 - Added pagination capabilities to Page Auto List Widget
• CMS-2946 - Enhance File Widget to add optional "Analytics Id" field for user entry
• CMS-2974 - Viewing Metadata in CM1 on certain pages in non-edit mode freezes dialogue and Categories and Tags do not get populated.
• CMS-2979 - Added "List View" to Calendar 2.0 Widget.
• CMS-2989 - Fixed the Feeds RDBMS DAO service to properly load and save objects via hibernate.
• CMS-3082 - CM1 5.3 SR1 DTS Tomcat needs updated to 7 update 75
• CMS-3111 - Calendar Two Widget - JS console errors
• CMS-3135 - Autolist pagination breaks RSS feed
• CMS-3171 - Perc Common UI JavaScript syntax error in Chrome
• CMS-3208 - TinyMCE - Inline images in Rich Text cannot be selected (or have a hyperlink added to them)
• CMS-3212 - Managed Links Are not Turned on By Default for Assets
• CMS-3221 - Valid Managed Links are incorrectly removed from content on edit
• CMS-3224 - CM1 - Update TinyMCE to Version 4.5.7
• CMS-2816 - Permission error when uploading image (using Image Field or RichText Widget) into an Asset folder controlled by a custom workflow
• CMS-3227 - PercFinderTree.js sends folder ids of non folder items when using upload button
• CMS-3228 - Prevent sys_folderid passed to new content item creating invalid relationship if id is not of a folder
• CMS-3229 - Created RxFix for invalid folder relationships where parent id is not a folder
• CMS-3230 - Tinymce Perc custom plugin PercAdvimage strips alignment upon edit (not adding new image)
• CMS-3232 - Insert Images in Rich Text Editor should not allow override of Asset alt and title

Known Issues List - Updated 7/6/17

• All customer should apply the updated perc-common-ui javascript file after applying the patch to mitigate a late breaking issue in recent browser updates.  This file can be downloaded from http://cdn.percussion.com/downloads/cm1/Patches/hotfixes/5.3.15/perc_common_ui.js and should be placed in the  <InstallDir>/web_resources/cm/common/js/ directory. Publishing a single page (like the error.html page, will cause the update script to get deployed after the patch has been applied)
• Customer using the secure sections feature will have problems starting the DTS after applying the patch.  They should contact technical support for a work around prior to attempting to patch their instance. 
• Customers with certain hotfixed widgets (Calendar, Forms) may run into a startup problem after installing the patch.  To work around this issue customers can either contact Technical Support for assistance, or edit the <InstallDir>/rxconfig/Installer/InstallPackages.xml file and change the FAILED text for the affected widget to "INSTALLED", save the file and restart Percussion. The service will start cleanly.
• Customers using the MySQL database server as the backing database for the DTS, will lose the MySQL Connector jar if it was previously placed into the <InstallDir>/Deployment/Server/perc-lib directory.  To correct this problem the MySQL Connector for Java may be installed or symlinked into the <InstallDir>/Deployment/Server/lib directory.  Percussion does not include this connector as part of our installation due to license incompatibility issues.
• Customers Patching the DTS on Windows Servers will need to replace their <InstallDir>\Deployment\Server\bin\service.bat script with the following file.  After updating the service.bat script, the DTS service must be removed and installed again using the "<InstallDir>\Deployment\Server\bin\service.bat remove" and  "<InstallDir>\Deployment\Server\bin\service.bat install" commands.  Once the service has been successfully re-installed, the Percussion DTS Windows Service will correctly start. 
• Customer's running the DTS on a server that also has native APR libraries installed, may run into problems starting the DTS HTTPS connector.   The HTTPS connector may fail to start with an invalid Keystore configuration.  To resolve this issue, remove or comment out the following line in the <InstallDir>/Deployment/Server/conf/server.xml file:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>

e.g. 

<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/> -->.  Restarting the DTS after this change will resolve the APR related errors.