Release 1.11.0

Release Date: 22/09/2023

Key features

Self-Registering Addins

Customization of eSign behavior have been greatly simplified, busting productivity and reducing error and configuration needs.

Developers can now develop and deploy custom Addins without having to explicitly register them in the configurations file or DB.

Find out a faster way to develop here.

Analytics performance enhancements

Major optimizations and performance improvements in Analytics APIs for large volumes of data. Introduced in Analytics V2 API.

Analytics Business Support Information

Improve your business support analytics by leveraging user domains, channels, and document types to gain more granular insights into user behavior and document interactions.

Read how here

Safer eSign Viewer

The users can no longer download or print contracts from eSign’s Document Viewer.

Even in past version the actual signed PDF could never be retrieved from eSign Viewer, but the user was still able to download or print the unsigned replica.
Starting in this version, not even the unsigned replica can be retrieved, any form of the PDF can only be retrieve through authorized means.

Support for IE11 was discontinued

To ensure our product is CVE free we had to upgrade our 3rd party frontend libraries to the latest versions. Unfortunately most of latest versions have dropped support for IE browser.
(This also means that Edge in IE mode will no longer be supported)

Features

  • Major upgrades of frontend libraries (Bootstrap, PDF.JS, AngularJS …​)

  • Upgraded iText library for better compatibility in PAdES and European legislation

  • Upgraded Tomcat version

  • Upgraded Swagger (to OpenAPI)

  • Multiple vulnerability fixes

Fixes

  • Audit reporting API

  • Internal error occurs when logging a request with duplicate headers

  • Swagger vulnerability allowing export external swagger files to be loaded in eSign’s Swagger page

Security Vulnerabilities

Fixed vulnerabilities

Dependency Severity Vulnerability

h2-1.4.199.jar

CRITICAL

CVE-2021-42392,
CVE-2022-23221,
CVE-2021-23463,
CVE-2022-45868,
CVE-2018-14335

kernel-7.1.18.jar

MEDIUM

CVE-2022-24196

liquibase-core-3.6.3.jar

CRITICAL

CVE-2022-0839

shiro-core-1.11.0.jar
shiro-web-1.11.0.jar

CRITICAL

CVE-2023-34478

Known vulnerabilities

Dependency Severity Vulnerability Description

Whitelisted vulnerabilities

Dependency Vulnerability Description

bcprov-jdk15on

CVE-2023-33201

This vulnerability only affects integrations with LDAP CertStore, which is out of the scope of eSign

h2

CVE-2022-45868
CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE:

"Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

jackson-databind

CVE-2023-35116

"The vendor’s perspective is that the product is not intended for use with untrusted input."
https://nvd.nist.gov/vuln/detail/CVE-2023-35116

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

spring-web

CVE-2016-1000027

Spring dismissed this CVE:

"The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Upgrade Notes

Check the migration steps to understand how to upgrade.

Breaking Changes

See the complete list of breaking changes (from 1.10.x to 1.11.0), here.