BoKS Reporting Services

April 2023

Version 8.1.0.5

April 17, 2023

Enhancements

  • The brs rpm package no longer has a dependency to java-11-openjdk.

  • The following dependencies were upgraded for security:

    Upgraded H2 database to 2.1.214.

    Upgraded Spring Framework to 5.3.27.

    Upgraded Spring Boot to 2.7.10.

Fixes

  • Fixed import fails with java.util.ConcurrentModificationException in H2 database.

Version 8.0.0.10

April 17, 2023

Enhancements

  • The following dependencies were upgraded for security:

    Upgraded H2 database to 2.1.214.

    Upgraded Spring Framework to 5.3.27.

    Upgraded Spring Boot to 2.7.10.

Fixes

  • A fix was implemented to correct import fails with java.util.ConcurrentModificationException in H2 database.

January 2023

Version 7.2.0.10

January 30, 2023

Fixes

  • H2 database upgraded to version 2.1.214 that fixes the 'Import fails with java.util.ConcurrentModificationException in H2 Database' issue.

October 2022

Version 8.1.0.4

October 12, 2022

Fixes

  • Implementation details have been hidden from the general error page.

  • A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

  • A fix has been applied so that the import status is updated when a permission denied error reading the dump file occurs.

  • Upgraded Spring, Spring Boot, jackson-databind, moment.js and Snakeyaml dependencies. (CVE-2022-42003, CVE-2022-42004, CVE-2020-36518, CVE-2022-22950, CVE-2022-38750, CVE-2022-22970, CVE-2022-38751, CVE-2022-25857, CVE-2022-38752, CVE-2022-38752, CVE-2022-24785, CVE-2022-31129).

Version 8.0.0.9

October 12, 2022

Fixes

  • Implementation details have been hidden from the general error page.

  • A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

  • Upgraded Spring, Spring Boot, jackson-databind, moment.js and Snakeyaml dependencies. (CVE-2022-42003, CVE-2022-42004, CVE-2020-36518, CVE-2022-22950, CVE-2022-38750, CVE-2022-22970, CVE-2022-38751, CVE-2022-25857, CVE-2022-38752, CVE-2022-38752, CVE-2022-24785, CVE-2022-31129).

Version 7.2.0.9

October 12, 2022

Fixes

  • Implementation details have been hidden from the general error page.

  • A bad request can result in a general error page. This page revealed application implementation specifics, such as an application stack trace. This information has been removed from the error page.

  • Upgraded Spring, Spring Boot, jackson-databind, moment.js and Snakeyaml dependencies. (CVE-2022-42003, CVE-2022-42004, CVE-2020-36518, CVE-2022-22950, CVE-2022-38750, CVE-2022-22970, CVE-2022-38751, CVE-2022-25857, CVE-2022-38752, CVE-2022-38752, CVE-2022-24785, CVE-2022-31129).

April 2022

Version: 8.1.0.3

April 13, 2022

  • Security fix for CVE-2022-22965. Updated dependency for Spring Framework.

Version: 8.0.0.8

April 13, 2022

  • Security fix for CVE-2022-22965. Updated dependency for Spring Framework.

February 2022

Version: 8.1.0.2

February 10, 2022

  • Updated log4j dependency to version 2.17.1.

  • Added collection of stored files in the /var/opt/brs/log/archive directory to the brsinfo program.

Version: 8.0.0.7

February 10, 2022

  • Updated log4j dependency to version 2.17.1.

Version: 7.2.0.8

February 10, 2022

  • Updated log4j dependency to version 2.17.1.

  • Fixed an issue where database dumps from certain BoKS versions couldn’t be imported.

December 2021

Version 8.1.0.1

December 15, 2021

  • Updated Log4j2 dependency to version 2.16.0 (CVE-2021-44228, CVE-2021-45046).

  • Updated Jetty dependency to version 9.4.44 (CVE-2021-28165).

  • Updated Thymeleaf dependency to 3.0.14 (CVE-2021-43466).

Version 8.0.0.6

December 15, 2021

  • Updated Log4j2 dependency to version 2.16.0 (CVE-2021-44228, CVE-2021-45046).

  • Updated Jetty dependency to version 9.4.44 (CVE-2021-28165).

  • Updated Thymeleaf dependency to 3.0.14 (CVE-2021-43466).

Version 7.2.0.7

December 15, 2021

  • Updated Log4j2 dependency to version 2.16.0 (CVE-2021-44228, CVE-2021-45046).

  • Updated Jetty dependency to version 9.4.44 (CVE-2021-28165).

  • Updated Thymeleaf dependency to 3.0.14 (CVE-2021-43466).

October 2021

Version: 8.1

October 4, 2021

New Features
  • New reports are added for sudo, sudoedit and sudolist Access Rules.
  • New report added, Host Groups By Host Listing, that for a given host, lists all the Host Groups that the host is member of.
  • New report added, Hostgroup Hosts Listing, that for a given Host Group lists all the hosts that match all the members in the Host Group. So if the Host Group has a pattern member "*", all the hosts that match that pattern are listed in the report.
Enhancements
  • Exporting a report saves the report with a filename consisting of the report name and a timestamp.
  • A new command named brsinfo has been added to collect useful troubleshooting information. See the documentation set for details.
  • User Detailed Listing report:
    • New optional filter "username" added.
    • Fixed issue with large temp files on the server during report execution.
  • Support is added for TLS 1.3.

    • Default allowed TLS protocols are TLSv1.2 and TLSv1.3.

    Default allowed TLS cipher suites are TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (TLS 1.2) and TLS_AES_256_GCM_SHA384 (TLS 1.3).

  • The BRS application is now managed as a systemd service.
Fixes

  • Fixed an issue where brscmd could not write to all places on disk when SELinux was enabled.

  • Fixed a CSS vulnerability where an attacker in a man-in-the-middle attack could inject a malicious URL to then be able to retrieve information about a user session.
  • Removed all unsafe-inline in Content-Security-Policy header.
  • Fixed an issue where exported reports in PDF format could be cut off at the right hand side.
  • The default minimum password length for BRS users is increased from 6 to 10 characters.

  • Added fix to set SELinux security context for installation directories, resolving issue with process not starting on Red Hat/Centos 8 with SELinux enabled.

April 2021

Version 8.0.0.5

April 22, 2021

  • Fixed a problem where the previous user database could not be re-used after an upgrade. This was an issue in the 8.0.0.3 and 8.0.0.4 releases.

  • Updated dependencies for Jetty, Spring and Spring Boot fixing the following reported vulnerabilities: CVE-2021-22112, CVE-2021-28165, CVE-2020-27218, CVE-2020-27223, CVE-2020-27216.

Version 7.2.0.6

April 22, 2021

  • Fixed an issue where users could not be deleted in the GUI. This was an issue in the 7.2.0.4 and 7.2.0.5 releases.

  • Fixed an issue where the user database from the previous version could not be re-used after an upgrade. This was an issue in the 7.2.0.4 and 7.2.0.5 releases.

  • Updated dependencies for Jetty, Spring and Spring Boot fixing the following reported vulnerabilities: CVE-2021-22112, CVE-2021-28165, CVE-2020-27218, CVE-2020-27223, CVE-2020-27216.

March 2021

Version 8.0.0.4

March 25, 2021

  • Fixed locking issues where the internal H2 database of BRS was performing unnecessary shutdowns. Now the BRS server keeps the H2 database up and running even when there are no active connections performing database operations. The shutdown of the internal H2 database is now performed when BRS is shutting down.

  • Fixed an issue where, when exporting reports to PDF format, the report could have the right hand side cut off causing report data to not be visible.

Version 7.2.0.5

March 25, 2021

  • Fixed locking issues where the internal H2 database of BRS was performing unnecessary shutdowns. Now the BRS server keeps the H2 database up and running even when there are no active connections performing database operations. The shutdown of the internal H2 database is now performed when BRS is shutting down.

  • Fixed an issue where, when exporting reports to PDF format, the report could have the right hand side cut off causing report data to not be visible.

November 2020

Version 8.0.0.3

November 3, 2020

  • CAS-0010219773 - 'unsafe-inline' excluded from Content-Security-Policy header.

    • The Content-Security-Policy header served by BoKS Reporting Services included the "script-src: 'unsafe-inline'" directive. The directive enables javascript that are inline included in the html page which otherwise is prevented. It is recommended not to use this directive and it is regarded as unsafe.

  • CAS-0010209467 - Issue with large temporary files

    • An improvement has been made to correct an issue with large temporary files on disk while importing. Temporary files will still be created in the tmp directory but the size will be smaller. The size of data stored in the database has been reduced. The effect of this is more efficient importing and a smaller database size on disk.

  • Update of dependencies.

Version 7.2.0.4

November 3, 2020

  • CAS-0010219773 - 'unsafe-inline' excluded from Content-Security-Policy header.

    • The Content-Security-Policy header served by BoKS Reporting Services included the "script-src: 'unsafe-inline'" directive. The directive enables javascript that are inline included in the html page which otherwise is prevented. It is recommended not to use this directive and it is regarded as unsafe.

  • CAS-0010209467 - Issue with large temporary files

    • An improvement has been made to correct an issue with large temporary files on disk while importing. Temporary files will still be created in the tmp directory but the size will be smaller. The size of data stored in the database has been reduced. The effect of this is more efficient importing and a smaller database size on disk.

  • Update of dependencies.

August 2020

Version 8.0.0.2

August 17, 2020

This release includes updated third party components used in BoKS Reporting Services with reported vulnerabilities.

The following libraries have been updated:

• jquery (3.5.1) CVE-2020-11022, CVE-2020-11023 (see also Advisory Note AN-1016)

• spring-security-core (5.2.8) CVE-2020-5408

• spring-web (5.2.8) CVE-2016-1000027

• spring-webmvc (5.2.8) CVE-2020-5397

• hibernate (5.4.19) CVE-2019-14900

• snakeyaml (1.26) CVE-2017-18640

• dom4j (2.1.3) CVE-2020-10683

• commons-codec (1.14) WS-2019-0379

• bouncycastle (1.64) CVE-2019-17359

• Bootstrap (4.3.1) CVE-2019-8331

Version 7.2.0.3

August 17, 2020

This release includes updated third party components used in BoKS Reporting Services with reported vulnerabilities.

The following libraries have been updated:

• jquery (3.5.1) CVE-2020-11022, CVE-2020-11023 (see also Advisory Note AN-1016)

• spring-security-core (5.2.8) CVE-2020-5408

• spring-web (5.2.8) CVE-2016-1000027

• spring-webmvc (5.2.8) CVE-2020-5397

• hibernate (5.4.19) CVE-2019-14900

• snakeyaml (1.26) CVE-2017-18640

• dom4j (2.1.3) CVE-2020-10683

• commons-codec (1.14) WS-2019-0379

• bouncycastle (1.64) CVE-2019-17359

• Bootstrap (4.3.1) CVE-2019-8331

June 2020

Version 8.0.0.1

June 1, 2020

  • This release includes a fix for a CSS vulnerability where an attacker in a man-in-the-middle attack could inject a malicious URL to then be able to retrieve information about a user session. See also Advisory Note AN-1015.

May 2020

Version 7.2.0.2

May 28, 2020

  • This release includes a fix for a CSS vulnerability where an attacker in a man-in-the-middle attack could inject a malicious URL to then be able to retrieve information about a user session. See also Advisory Note AN-1015.

December 2019

Version 8.0
NOTE: For system requirements including supported platforms, see the BoKS Reporting Services 8.0 Administrator's Guide.
New Features
  • Updated to support BoKS 8.0 features and functions.
Enhancements
  • Added a tar archive installation package, in addition to RPM.
  • The Domain Status page has added information about the database dump timestamp and file name.
  • The Rows per page setting is retained between report runs within a logged in session.
  • Users with the role "user" now have access to the Domain Status page.
  • A number of enhancements have been made to the JSON output for efficiency and readability:
    • New parameter "columnNames" that contains a list of the headers of the columns.
    • New parameter "filterParameters" (previously named "params").
    • Parameters "pageParams", "allParams" and "pageOrientation" has been removed.
    • Parameter "type" (used internally) now contains the short name of the report type.
    • Parameter "content" has a changed structure. The type specification ("[Ljava.lang.Object;") has been removed. It now contains a list of rows where each row is a list of the column values.

    Example output: 

    {
  "type" : "UserClassListingReport",
  "dumpDate" : "2019-10-22 08:30:01",
  "title" : "User Class Listing",
  "columnNames" : [
    "User class",
    "Comment"
  ],
  "filterParameters" : {
    "Domain" : "Demo"
  },
  "content" : [
    [
      "CLASS_1",
      "First User Class"
    ],
    [
      "CLASS_2",
      "Second User Class"
    ],
    [
      "CLASS_3",
      "Third User Class"
    ]
    ]
  }
Other Updates
  • BRS GUI reports can now display double quotation marks ".
  • User Class Access reports now filter out target users that do not exist in BoKS so that they do not appear in the reports.
  • In the REST API, if a JSON request generates an error, the error is returned in JSON format rather than html.
  • The only HTTP methods now allowed are GET, HEAD and POST, due to security issues with other methods.
  • Http requests are now redirected to https instead of giving an error message.
  • Upgrade of dependency libraries. Resolves the vulnerabilities:
    • CVE-2019-16335
    • CVE-2018-5968
    • CVE-2018-14718
    • CVE-2018-14719
    • CVE-2018-14720
    • CVE-2018-14721
    • CVE-2018-1000873
    • CVE-2019-16943
    • CVE-2019-14379
    • CVE-2019-12086
    • CVE-2019-14540
    • CVE-2019-14439
    • CVE-2018-19360
    • CVE-2018-19361
    • CVE-2018-19362
    • CVE-2019-12814
    • CVE-2019-16942
    • CVE-2019-12384
    • CVE-2018-15756
    • CVE-2019-10241
    • CVE-2019-10247
    • CVE-2018-14040
    • CVE-2018-14041
    • CVE-2018-14042

November 2019

Version 7.2.0.1

  • CAS-0010172880 - Performance improvements when importing the BoKS database.

  • Upgrade of dependencies that resolves the vulnerabilities CVE-2018-1000632, CVE-2018-15756, CVE-2019-3795.

  • The Host Group Members report now shows the actual members for a host group instead of the hosts matching the member expression.

  • If you have not installed BRS before, see the installation instructions in the BoKS Reporting Services 7.2 Administrator’s Guide. If you have already installed BRS 7.2, you can upgrade BRS 7.2 to 7.2.0.1 using the ‘rpm -U brs-7.2.0-1.noarch.rpm’ command. Note that you need to reapply any customizations you have made to the BRS user interface after upgrading.

November 2018

Version 7.2
NOTE: For system requirements including supported platforms, see the BoKS Reporting Services 7.2 Administrator's Guide.

BoKS Reporting Services is a new product that reports on access configuration and objects in the BoKS database, and can support multiple BoKS domains.

New Features
  • A reporting Graphical User Interface (GUI) can be used to run reports from the categories:
    • BoKS Objects
    • User Access
    • User Class Access
  • A high-performance embedded database is used to store BoKS reporting data.
  • Output reports in HTML, CSV and PDF formats from the GUI, plus JSON format via CURL or extension.
  • Includes a fully-documented REST API for flexibility running reports.

  • Support for customizing logo in BRS GUI and reports.

  • Helper programs make for smooth install with flexible deployment scenarios ("pull" and "push").