Rhythmyx-7.3.2-Patch-20191021

PATCH ID: 732_20200117

This update includes a mix of security updates, an application server update, and several improvements / bug fixes.  Notable is that the jetty server is updated to version 9.4.26.v20200117, an issue with Folder Copy and Paste has been corrected and Workbench ACL errors have been fixed.  Velocity has been updated to 2.2 which contains several backward compatibility issues, including allowing - in sub properties, which impacted some customers.  The Velocity Switching tool has been updated to allow for easy switching between Velocity 1.6 and Velocity 2.2.  Note that installing the patch will not enable Velocity 2.2, the Velocity Version Switching tool must be used to enable it post patching. 

DOWNLOAD

Downloads are available via the support portal at https://support.percussion.com

PREVIOUS PATCHES

Please note that all patches are cumulative.  The links here are to provide reference access to the release notes for everything that is included in this patch.  Prior patches do not need to be installed before installing this patch.

This patch includes the following changes:

CHANGE DESCRIPTION

RHYT-2702 - Security Update: Java JMX RMI Accessible with common credentials in default configuration

A security vulnerability was reported in the default 7.3.2 configuration when running the Jetty server profile where JMX accepted connections over clear text protocol from processes via the loop back address 127.0.0.1 on the Rhythmyx server.  The default configuration has been updated to remove JMX from the server profile.  Customers wishing to enable JMX support can configure the module in their <jetty>/base configuration folders.  The default configuration has been updated to exclude JMS. 

RHYT-2713 - Security Update: ActiveMQ configuration should disable JMX by default

A security vulnerability was reported in the default 7.3.2 configuration when running the Jetty server profile where the default ActiveMQ configuration (used in Publishing and Email notifications) enabled a JMX listener by default.  After applying this patch, JMX will be disabled by default in the ActiveMQ configuration. 

RHYT-2704 - Performance: Publishing hangs forever after queueing 101 items when ActiveMQ overloaded on fast server

A problem was reported where the ActiveMQ publishing queue could hang after the first 101 items, on a fast server.  The memory allocations in the defaults/etc/activemq/activemq.xml file were too low to handle large publishes on fast servers and the Publishing queue could lock, or freeze publishing.  Memory settings are increased in this patch, and a copy of the defaults/etc/activemq/activemq.xml file will be placed in the base folder if it is not present. If you have already overridden the ActiveMQ configuration in jetty/base/etc/activemq/activemq.xml, we recommend that you refresh your configuration from the defaults location, and then apply your customization after apply this patch.  jetty/base/etc/activemq/activemq.xml  will not be overwritten if it already exists. 

RHYT-2708 - Jetty Server: - Intermittent errors in jetty logs: 400: Duplicate valid session cookies

An issue was introduced by the Jetty update included in patch  732_20191021 related to a regression introduced in Jetty server update jetty-9.4.22.v20191022 resulting in intermittent 400: Duplicate Valid Session cookies errors why using the Content Explorer.  This issue is resolved by the jetty update to jetty-9.4.26.v20200117.

RHYT-2709 - Content Explorer:  Folder copy and paste fails with error

A problem with Folder copy and paste in Content Explorer after applying the latest patch has been corrected by this patch. 

[RHYT-2679] - Update Velocity to the 2.2 Release Version

The Velocity templating engine has been updated to the 2.2 version in this release.  This update mainly includes improvements to the Velocity Engine for backward compatibility.  The Velocity Switching tool has been updated to allow for easy switching between Velocity 1.6 and Velocity 2.2.  Note that installing the patch will not enable Velocity 2.2, the Version Switching tool must be used to enable it post patching. 

[RHYT-2688] - Admin:  Scheduled Tasks don't run when the Run Now option is selected.

An issue was reported where scheduled tasks run on demand from the Admin Tasks feature were not running.  This issue has been corrected and Run Now on tasks will execute them immediately. 

[RHYT-2717] - Move security jars to webapp only to avoid conflicts with customer provided JRE's

For stronger encryption support, the system deployed a set of security jars to the JRE/JRE64 folder on prior patch updates.  With this patch, those libraries have been moved to the application folder instead.  This is to avoid issues when customers replace server side JRE folders with their own versions.  A follow-on to this issue will be included in the next patch update that auto-installs certificates (LDAP, etc.) into the configured JRE.