Hotfix 1.10.3

Release Date: 31/03/2023

Fixes

[Devops-34102] Fixes and improves date format parsing in all APIs (e.g. dates ending in Z now supported).
[Devops-39307] Fixed an error that caused external references not being preserved during bulk hash signature processes.
[Devops-39306] Fixed namespace references in SOAP bulk hash signing.
[Devops-38707,38899] Enhanced support for password protected documents.

Fixed vulnerabilities

Vulnerability	Highest Severity	Description
owasp-java-html-sanitizer	CRITICAL	CVE-2021-42575
jackson-databind	HIGH	CVE-2020-36518, CVE-2021-46877, CVE-2022-42003, CVE-2022-42004
woodstox-core	HIGH	CVE-2022-40151, CVE-2022-40152
imageio-metadata	CRITICAL	CVE-2021-23792
cxf-core	CRITICAL	CVE-2022-46364, CVE-2022-46363
log4j-core	MEDIUM	CVE-2021-44832
xmlsec	HIGH	CVE-2021-40690, CVE-2019-12400
shiro-core	CRITICAL	CVE-2022-32532, CVE-2022-40664, CVE-2023-22602
shiro-web	CRITICAL	CVE-2022-40664, CVE-2022-32532
tomcat-catalina	HIGH	CVE-2022-45143, CVE-2023-28708, CVE-2021-43980
tomcat-coyote	HIGH	CVE-2022-42252, CVE-2021-43980
tomcat-util	LOW	CVE-2021-43980
velocity	HIGH	CVE-2020-13936
bcprov-jdk15on	MEDIUM	CVE-2020-15522
cryptacular	HIGH	CVE-2020-7226
jersey-common	MEDIUM	CVE-2021-28168
jakarta.el	MEDIUM	CVE-2021-28170
hibernate-validator	MEDIUM	CVE-2020-10693
postgresql	CRITICAL	CVE-2022-21724, CVE-2022-26520, CVE-2022-31197, CVE-2022-41946, GHSA-673j-qm5f-xpv8
spring-beans	CRITICAL	CVE-2022-22965, GHSA-36p3-wjmg-h94x
spring-core	MEDIUM	CVE-2022-22968, CVE-2022-22970, CVE-2022-22971, CVE-2023-20861, HSA-36p3-wjmg-h94x
spring-expression	MEDIUM	CVE-2022-22950
spring-web	CRITICAL	CVE-2016-1000027
snakeyaml	CRITICAL	CVE-2022-1471, CVE-2017-18640, CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854

Vulnerability

Highest Severity

Description

owasp-java-html-sanitizer

CRITICAL

CVE-2021-42575

jackson-databind

HIGH

CVE-2020-36518, CVE-2021-46877, CVE-2022-42003, CVE-2022-42004

woodstox-core

HIGH

CVE-2022-40151, CVE-2022-40152

imageio-metadata

CRITICAL

CVE-2021-23792

cxf-core

CRITICAL

CVE-2022-46364, CVE-2022-46363

log4j-core

MEDIUM

CVE-2021-44832

xmlsec

HIGH

CVE-2021-40690, CVE-2019-12400

shiro-core

CRITICAL

CVE-2022-32532, CVE-2022-40664, CVE-2023-22602

shiro-web

CRITICAL

CVE-2022-40664, CVE-2022-32532

tomcat-catalina

HIGH

CVE-2022-45143, CVE-2023-28708, CVE-2021-43980

tomcat-coyote

HIGH

CVE-2022-42252, CVE-2021-43980

tomcat-util

LOW

CVE-2021-43980

velocity

HIGH

CVE-2020-13936

bcprov-jdk15on

MEDIUM

CVE-2020-15522

cryptacular

HIGH

CVE-2020-7226

jersey-common

MEDIUM

CVE-2021-28168

jakarta.el

MEDIUM

CVE-2021-28170

hibernate-validator

MEDIUM

CVE-2020-10693

postgresql

CRITICAL

CVE-2022-21724, CVE-2022-26520, CVE-2022-31197, CVE-2022-41946, GHSA-673j-qm5f-xpv8

spring-beans

CRITICAL

CVE-2022-22965, GHSA-36p3-wjmg-h94x

spring-core

MEDIUM

CVE-2022-22968, CVE-2022-22970, CVE-2022-22971, CVE-2023-20861, HSA-36p3-wjmg-h94x

spring-expression

MEDIUM

CVE-2022-22950

spring-web

CRITICAL

CVE-2016-1000027

snakeyaml

CRITICAL

CVE-2022-1471, CVE-2017-18640, CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854

Whitelist vulnerabilities

Vulnerability	Description
CVE-2016-1000027	This vulnerability was dismissed by Spring, with the vendor stating: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
CVE-2021-23463,CVE-2021-42392,CVE-2022-23221,CVE-2022-45868,GHSA-h376-j262-vhq6	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments.
CVE-2022-0839	This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries.

Vulnerability

Description

CVE-2016-1000027

This vulnerability was dismissed by Spring, with the vendor stating:

"The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

CVE-2021-23463,CVE-2021-42392,CVE-2022-23221,CVE-2022-45868,GHSA-h376-j262-vhq6

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments.

CVE-2022-0839

This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries.

Upgrade Notes

If you are upgrading directly from 1.9.x, check the migration steps to understand how to upgrade.