BoKS Control Center

May 2023

Version: 8.1.1.2

May 2, 2023

New Features

• The dependency to java-11-openjdk** has been removed.

Fixes

• A warning was added to sudo control for hosts with a version of BoKS without sudo support.

Enhancements

• The following dependencies were upgraded: 
  • CVE-2022-1471, CVE-2023-20861, CVE-2023-20863, CVE-2023-24998
    
• Upgraded Snakeyaml to 2.0
  
• Upgraded Spring to 5.3.27
  
• Upgraded commons-fileupload to 1.5

Version: 8.1.0.4

May 2, 2023

New Features

• The bccps rpm package no longer has a dependency to java-11-openjdk.

Fixes

• A warning was added to sudo control for hosts with a version of BoKS without sudo support.

Enhancements

• The following dependencies were upgraded: 
  • CVE-2022-1471, CVE-2023-20861, CVE-2023-20863, CVE-2023-24998
    
• Upgraded Snakeyaml to 2.0
  
• Upgraded Spring to 5.3.27
  
• Upgraded commons-fileupload to 1.5

Version: 8.0.0.7

May 2, 2023

Fixes

• Login error java.security.NoSuchAlgorithmException for Java 1.8.0_352**. The bcc.policy file has been extended with the necessary access.
• Fixed the XSS vulnerability in userclass dropdown on start page.

Enhancements

• The following dependencies were upgraded: 
  • CVE-2022-1471, CVE-2023-20861, CVE-2023-20863, CVE-2023-24998
    
• Upgraded Snakeyaml to 2.0
  
• Upgraded Spring to 5.3.27
  
• Upgraded commons-fileupload to 1.5

Version: 7.2.0.6

May 2, 2023

Fixes

• Login error java.secuirty.NoSuchAlgorithmException for Java 1.8.0_352**. The bcc.policy file is now extended with read access to the directory /etc/pki/java/cacerts.
• The XSS vulnerability in userclass dropdown on the start page has been fixed.

Enhancements

• The following dependencies were upgraded: 
  • CVE-2022-1471, CVE-2023-20861, CVE-2023-20863, CVE-2023-24998
    
• Upgraded Snakeyaml to 2.0
  
• Upgraded Spring to 5.3.27
  
• Upgraded commons-fileupload to 1.5

October 2022

Version 8.1.1.1

October 25, 2022

This release includes the following security fixes:

• Hide implementation details from general error page.

• A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

• Changing sudo protection for host via list menu resets home directory to /home.

• Fixed issue with the host menu causing the home directory to be reset to /home when changing the sudo protection setting in the list without first opening the details row.

• Upgraded dependencies.

• Upgraded Spring to 5.3.23.

• Upgraded Snakeyaml to 1.33.

Version 8.1.0.3

October 25, 2022

This release includes the following security fixes:

• Hide implementation details from general error page.

• A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

• Changing sudo protection for host via list menu resets home directory to /home.

• Fixed issue with the host menu causing the home directory to be reset to /home when changing the sudo protection setting in the list without first opening the details row.

• Upgraded dependencies.

• Upgraded Spring to 5.3.23.

• Upgraded Snakeyaml to 1.33.

Version 8.0.0.6

October 25, 2022

This release includes the following security fixes:

• Hide implementation details from general error page.

• A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

• Upgraded dependencies.

• Upgraded Spring to 5.3.23.

• Upgraded Snakeyaml to 1.33

Version 7.2.0.5

October 25, 2022

This release includes the following security fixes:

• Hide implementation details from general error page.

• A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

• Upgraded dependencies.

• Upgraded Spring to 5.3.23.

• Upgraded Snakeyaml to 1.33.

April 2022

Version: 8.1.0.2

April 20, 2022

• Added CSRF (Cross Site Request Forgery) attack protection.

• Updated Spring Framework dependency (CVE-2022-22965).

Version: 8.0.0.5

April 20, 2022

• Added CSRF (Cross Site Request Forgery) attack protection.

• Updated Spring Framework dependency (CVE-2022-22965).

Version: 7.2.0.4

April 20, 2022

• Added CSRF (Cross Site Request Forgery) attack protection.

• Updated Spring Framework dependency (CVE-2022-22965).

March 2022

Version: 8.1.1

March 4, 2022

New Features

• Certificate authentication is added for login to BCC.

Fixes

• The web server listens to an extra port for certificate login (default 8444).
• The "SSH certificate" authenticator is renamed to "Certificate". When configuration Access Rules, "Optional SSH certificate" is renamed to "Optional certificate", and the authentication methods "ssh_cert", "hard_ssh_cert" and "optional_ssh_cert" are renamed to "cert", "hardcert" and "optional_cert".

January 2022

Version: 8.1.0.1

January 31, 2022

• Updated log4j dependency to version 2.17.1.

The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

Version: 8.0.0.4

January 28, 2022

• Updated log4j dependency to version 2.17.1.

The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

Version: 7.2.0.3

January 28, 2022

• Updated log4j dependency to version 2.17.1.

The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

Version: 6.7.0.4

January 28, 2022

• Updated log4j dependency to version 2.17.1.

The log configuration for Log4j2 is not backwards compatible. A new log file log4j2.xml is used instead of AppcontrolLogging.xml. When upgrading, AppcontrolLogging.xml will be renamed to AppcontrolLogging.xml.bak. This means that any modifications that were made in AppcontrolLogging.xml must manually be transferred to the new log4j2.xml file to be effective.

• In the section in the Installation Guide "Troubleshooting the Presentation Server", the file AppcontrolLogging.xml should be replaced with log4j2.xml, the code for activating debugging is

<Logger name="com.foxt.bcc" level="info" additivity="false">
<AppenderRef ref="FILE"/>
</Logger>

and the parameters for log size and how many log files are retained are

<SizeBasedTriggeringPolicy  size="32MB"/>
<DefaultRolloverStrategy max="5"/>

December 2021

Version 8.0.0.3

December 22, 2021

• Updated Jetty dependency (CVE-2021-28169, CVE-2021-34429).

• Updated Apache Wicket dependency (CVE-2021-23937).

Version 7.2.0.2

December 17, 2021

• Removed unused Log4j2 dependency (CVE-2021-44228, CVE-2021-45046).

• Updated Jetty dependency (CVE-2021-28169, CVE-2021-34429).

• Updated Apache Wicket dependency (CVE-2021-23937).

October 2021

Version: 8.1

October 4, 2021

New Features

• Support is added for the new BoKS sudo, sudoedit and sudolist access methods.
• A new object, sudoenvlist, can be specified for sudo Access Rules.
• Added controls making it possible to activate or deactivate BoKS sudo protection for hosts, host pre-registrations and host pre-registration types.

Enhancements

• Systemd is used for managing the BCC application where available. The systemctl command is used for starting and stopping the service. The /etc/init.d/bccps start script has been removed.
• /home is now the default location for creating home directories when you create a host, host pre-registration or host pre-registration type, or when you import host definitions.
• A new command named bccinfo has been added to collect useful troubleshooting information. See the documentation set for details.
• Fixed an issue where some GUI operations (for example managing "User SSH Public Keys") did not work when running the server with Java 1.8.0 update 282 or later.
• Support is added for TLS 1.3.

Default allowed TLS protocols are TLSv1.2 and TLSv1.3.

Default allowed TLS cipher suites are TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2) and TLS_AES_256_GCM_SHA384 (TLS 1.3).

• A new section "User certificate mappings" is added to the User details page to map UUID and certificate hashes to users.
• Added the ability to turn off autocomplete for the Host field in the password checkout interface using the bcc.properties variable PwmHostListingEnabled.

Fixes

• The dependency in the BCC install program on /bin/ed, which is not supported in some newer OS versions, is removed.
• Removed cache for downloadable resources (host and ca certificates) to provide enhanced security.
• Added replacement of session ID every time a user logs in and deletion of old session IDs to provide enhanced security.
• The default time zone set for the domain is now displayed in the Time zone field when you create a new host, and domain is selected for the setting.
• Added response header "X-Content-Type-Options: nosniff" for enhanced security.
• Ensured that a Strict-Transport-Security HTTP header is sent with each HTTPS response.
• Updated the default session ID name to "id" to provide enhanced security.
• Added enhanced protections to prevent the ability to download certificates from BCC without an active session.
• "unsafe-inline" is removed from Content-Security-Policy headers in accordance with OWASP recommendations.
• The "Import options" section when importing users is removed as the UID range for system users varies per OS. The "UID range" section can be used instead.
• The section "Secondary unix groups" is renamed to "Unix groups".
• The label for "Map home directories to host... at location" is changed to "Optionally create home directories on host... at location" to better reflect the functionality.

May 2021

Version 8.0.0.2

May 3, 2021

• Updated Jetty dependency fixing the following reported vulnerabilities: CVE-2021-28165, CVE-2020-27218, CVE-2020-27223, CVE-2020-27216.

• Strict-Transport-Security header included in root redirect page (enforce strict transport security).

• Added enhanced protections to prevent the ability to download certificates from BCC without an active session (enhanced access control).

• Added replacement of session ID every time a user logs in and deletion of old session IDs to provide enhanced security (session fixation).

• Added response header "X-Content-Type-Options: nosniff" for enhanced security (content sniffing not disabled).

• Updated the default session ID name to "id" to provide enhanced security (session ID fingerprinted).

• Removed cache for downloadable resources (host and ca certificates) to provide enhanced security (cacheable HTTPS response).

Version 7.2.0.1

May 3, 2021

• Fixed problem where some GUI operations (for example managing "User SSH Public Keys") not working when running the server with Java 1.8.0 update 282 or later.

• Updated Jetty dependency fixing the following reported vulnerabilities: CVE-2021-28165, CVE-2020-27218, CVE-2020-27223, CVE-2020-27216.

• Strict-Transport-Security header included in root redirect page (enforce strict transport security).

• Added enhanced protections to prevent the ability to download certificates from BCC without an active session (enhanced access control).

• Added replacement of session ID every time a user logs in and deletion of old session IDs to provide enhanced security (session fixation).

• Added response header "X-Content-Type-Options: nosniff" for enhanced security (content sniffing not disabled).

• Updated the default session ID name to "id" to provide enhanced security (session ID fingerprinted).

• Removed cache for downloadable resources (host and ca certificates) to provide enhanced security (cacheable HTTPS response).

January 2020

Version 8.0.0.1

• Fixed issues when running with Java 11. Expandable rows for user and host listings could not be opened. Also User SSH public keys section for a user object did not function as expected.

December 2019

Version 8.0

New Features

• Updated to support BoKS 8.0 features and functions.

Enhancements

• Support for java version 11 and above.
• Added support for changing multiple GIDs or multiple group names in one operation.
• Improved the autocomplete feature for selecting primary group - now the number of groups is displayed at the bottom of the drop-down if there are more than the 15 that are displayed in the drop-down.
• Added support for setting global time zone to the Domain settings page.
• Added columns for Target user and From user in the Access Rule listing.
• Added links to host detail pages from members listing in the Host Group details page, where the member resolves to a specific host (i.e. not for wildcard definitions).
• Added support for the REALSTARTEDBY parameter to the Keystroke Log Files as read in BCC.

Other Updates

• The installation directory is owned by the process user instead of previously root. This prevents an issue whereby the presentation server couldn't be started after installation with a restrictive umask setting.
• Upgrade of dependency libraries. Resolves the vulnerabilities CVE-2019-10241 and CVE-2019-10247.
• Some GUI labels that previously said "To user" have been changed to "Target user" for consistency.

December 2018

Version 6.7.0.3

• Disabled HTTP TRACE method to remove vulnerability to session hijacking through cross-site scripting.

November 2018

Version 7.2

New Features

• Updated to support BoKS 7.2 features and functions.

• Additional authentication methods can be used to log in to FCC: Radius password and YubiKey.

Enhancements

• FCC is delivered as an additional package as an RPM.
• The installation has been split into an install program and a setup program.
• FCC checks that the correct Java version is installed.
• The list of installed hotfixes is updated every t-ime the user opens or reloads the Start page.
• Program groups that are members of another program group are displayed as links you can click to go to the Program group details page.
• Program groups that appear in Access Rules are links to the Program group details page.
• It is easier to configure a Replica for failover, with support for this in the setup program.

 

Other Updates

• Java is now required to be installed on the system before installation / upgrade.

• CAS-194895-M6Q4W1 - Autocomplete fields now search for matching items from the beginning of the name with the exception of the "user" autocomplete field that searches throughout the name.

• CAS-0010107691 - Added the option ANY/* to the dropdown for domain access policies.

October 2018

Version 7.1.0.3

• Updated libraries due to reported vulnerabilities:

  • Jetty library has been updated to version 9.4.12 (CVE-2017-7658, CVE-2017-7656).

  • Spring Framework libraries have been updated to version 4.3.9 (CVE-2018-1272, CVE-2018-11039, CVE-2018-11040)

  • Guava library has been updated to version 26.0 (CVE-2018-10237)

  • Commons-fileupload has been updated to version 1.3.3 (CVE-2016-1000031).

• Security headers:

The following response headers have been added to the http responses for improved http security:

• Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security.

• Enabled rejecting of client initiated TLS renegotiation.

• Embedded Java Runtime Environment is updated to version 8u181.

• The certificate keystore jks file is created in PKCS format instead of Sun proprietary format which previously caused warnings at installation.

• Updated default enabled TLS protocols and cipher suites.

Default enabled protocol is:

• TLSv1.2

New default enabled ciphers are:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• License.txt in installation package is updated.

NOTE: FCC 7.1.0.3 does not support Solaris x86 32 bit, which was supported for the 7.1.0.2 release. The reason for this is that Oracle Java does not include support for that platform.

Version 7.0.1.1

• Updated libraries due to reported vulnerabilities:

  • Jetty library has been updated to version 9.4.12 (CVE-2017-7658, CVE-2017-7656).

  • Spring Framework libraries have been updated to version 4.3.9 (CVE-2015-3192, CVE-2015-5211)

  • Wicket Framework libraries have been updated to version 6.29.0 (CVE-2015-5347)

• Security headers:

The following response headers have been added to the http responses for improved http security:

• Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security.

• Enabled rejecting of client initiated TLS renegotiation.

• Embedded Java Runtime Environment is updated to version 8u181.

• The certificate keystore jks file is created in PKCS format instead of Sun proprietary format which previously caused warnings at installation.

• Updated default enabled TLS protocols and cipher suites.

Default enabled protocol is:

• TLSv1.2

New default enabled ciphers are:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• License.txt in installation package is updated.

NOTE: FCC 7.0.0.1 does not support Solaris x86 32 bit, which was supported for the 7.0.0 release. The reason for this is that Oracle Java does not include support for that platform.

Version 6.7.0.2

• Updated libraries due to reported vulnerabilities:

  • Jetty library has been updated to version 9.4.12 (CVE-2017-7658, CVE-2017-7656, CVE-2017-9735).

  • Spring Framework libraries have been updated to version 3.2.18 (CVE-2014-3578, CVE-2013-7315, CVE-2015-3192, CVE-2014-0225, CVE-2013-6429, CVE-2014-0054, CVE-2015-5211)

  • Wicket Framework libraries have been updated to version 6.29.0 (CVE-2013-2055, CVE-2014-7808, CVE-2015-5347)

• Security headers:

The following response headers have been added to the http responses for improved http security:

• Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security.

• Enabled rejecting of client initiated TLS renegotiation.

• Embedded Java Runtime Environment is updated to version 8u181.

• The certificate keystore jks file is created in PKCS format instead of Sun proprietary format which previously caused warnings at installation.

• Updated default enabled TLS protocols and cipher suites.

Default enabled protocol is:

• TLSv1.2

New default enabled ciphers are:

• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• License.txt in installation package is updated.

• NOTE: FCC 6.7.0.2 does not support Solaris x86 32 bit, which was supported for the 6.7.0.1 release. The reason for this is that Oracle Java does not include support for that platform.

Back to Powertech Products