Release 1.11.1

Release Date: 03/11/2023

Features

External document validation now detects lock actions, namely lock signatures.
Allow developers to add custom hibernate parameters to eSign datasource configurations.
Added friendly names to each datasource connection pool, allowing better troubleshooting when using monitoring tools or JMX directly.
New Analytics API method to retrieve metainfo about analytics configurations.

Fixes

Added ability to recover from temporary unavailability in Multicert services, when used for signing with qualified certificates.
Fixed issue introduced in 1.11.0 that prevent non-signature form fields from being rendered in eSign Viewer.
Fixed issue occurring when "server.viewer.ie11.force" is set to true. Each caused a redirect with HTTP instead of HTTPS.
Fixed security vulnerabilities.

Security Vulnerabilities

Fixed vulnerabilities

Dependency	Severity	Vulnerability
xmlsec.jar	MEDIUM	CVE-2023-44483

Dependency

Severity

Vulnerability

xmlsec.jar

MEDIUM

CVE-2023-44483

Known vulnerabilities

Dependency

Severity

Vulnerability

Description

Whitelisted vulnerabilities

Dependency	Vulnerability	Description
bcprov-jdk15on	CVE-2023-33201	This vulnerability only affects integrations with LDAP CertStore, which is out of the scope of eSign
h2	CVE-2022-45868 CVE-2018-14335	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments
itext-core	CVE-2022-24198	iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." https://nvd.nist.gov/vuln/detail/CVE-2022-24198
jackson-databind	CVE-2023-35116	"The vendor’s perspective is that the product is not intended for use with untrusted input." https://nvd.nist.gov/vuln/detail/CVE-2023-35116
jose4j	CVE-2023-31582	This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).
quartz	CVE-2023-39017	Quartz functionalities are not exposed to the outside. eSign provides no way of passing unchecked arguments to quartz.
spring-web	CVE-2016-1000027	Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Dependency

Vulnerability

Description

bcprov-jdk15on

CVE-2023-33201

This vulnerability only affects integrations with LDAP CertStore, which is out of the scope of eSign

CVE-2022-45868
CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE:

"Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

jackson-databind

CVE-2023-35116

"The vendor’s perspective is that the product is not intended for use with untrusted input."
https://nvd.nist.gov/vuln/detail/CVE-2023-35116

jose4j

CVE-2023-31582

This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

spring-web

CVE-2016-1000027

Spring dismissed this CVE:

"The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Upgrade Notes

If upgrading from 1.10.x, check the migration steps to understand how to upgrade.

Breaking Changes

No breaking changes from previous hotfix.