Kantega SSO Enterprise 5.3.x release notes

We are pleased to announce Kantega SSO Enterprise 5.3.

Read the upgrade notes for important information about the updating to version 5 (and you are upgrading from 4.x), and see the full changelog below.

Compatible applications

Application

Compatible from version

Application

Compatible from version

Bamboo

7.0.1

Bitbucket

6.8.0

Confluence

7.1.0

Jira

8.6.0

Changelog

After the large fundamental changes in 5.0, we are now stabilizing and improving the product, while still adding new functionality and security fixes.

Changes in 5.3.0

January 11, 2022

Features

  • API tokens Added REST API endpoints for managing API Tokens.
    Documentation for the Kantega SSO REST API is available here:
    https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/936247327

  • Saml/oidc Managed auto-create users: match group memberships on user profile claims in response, with configured list as condition for user creation. This allows more configuration of Just-in-time provisioning.

Bug fixes

  • Get update of config warning in fresh installation when config update is not needed

  • Update of config in Config status page from fresh installation gives 500 error page with nullpointer exception

Changes in 5.3.1

Version 5.3.1 was withdrawn due to a bug with Bouncy Castle in SAML.

Changes in 5.3.2

January 19, 2022.

This is a significant update of several dependencies.

During our last audit, we have gone through all of our source code and update the possible dependencies to mitigate several security vulnerabilities. We use the org.owasp.dependency-check-maven plugin to scan our dependencies.

Improvements

  • Persistently style menu items to avoid them overridden by styling plugins

Bug fixes

  • Update of configuration When update of config failed, the update run again unnecessarily from the page Username From Header

Dependency updates

Dependency

Updated from version

Updated to version

Description

Dependency

Updated from version

Updated to version

Description

com.github.spotbugs:spotbugs-maven-plugin@4.1.3

4.1.3

4.5.0.0

Maven plugin wrapper for spotbugs, used for static security analysis of source code

com.github.spotbugs:spotbugs

4.1.4

4.5.2

Static analysis tool used for security analysis of source code

com.google.guava:guava

30.0-jre

31.0.1-jre

 

org.slf4j:slf4j-log4j12

1.7.22

1.7.32

Logging framework

org.slf4j:slf4j-api

1.7.22

1.7.32

Logging framework

org.eclipse.jetty:jetty-server

9.4.35.v20201120

9.4.44.v20210927

 

org.eclipse.jetty:jetty-servlet

9.4.35.v20201120

9.4.44.v20210927

 

com.squareup.okhttp3:okhttp

4.9.1

4.9.3

Library used to handle HTTP requests in OIDC

org.jetbrains.kotlin:kotlin-stdlib

1.4.10

1.6.10

Library used to handle http components in okhttp

org.json:json

20180813

20210307

Library used for managing JSON objects.

org.apache.commons:commons-lang

2.x

org.apache.commons:commons-lang3@3.12.0

Provided dependency with vulnerabilities, now drawn in exclicitly.

commons-io

[2.0, 2.4]

2.11

Vulnerabilities patched. See more details in the table under Vulnerabilities fixed

commons-codec:commons-codec

1.10

1.15

Vulnerabilities patched. See more details in the table under Vulnerabilities fixed

org.opensaml:opensaml-saml-impl

3.4.5

3.4.6

Updated to latest version compatible with Java 8 environment

Security vulnerabilities fixed in update

This section contains a table with a bit more details over the updated libraries with known vulnerabilities fixed. The table has CVE/CWE references as well as descriptions.

 

Vulnerability

Vulnerable dependency

Fix update

Patched in 5.3.1

Description

Vulnerability

Vulnerable dependency

Fix update

Patched in 5.3.1

Description

CVE-2021-29425

commons-io@[2.0, 2.4]

commons-io@2.11

Patched

Updated dependency from both transitive libraries and

CWE-200

CVE-2020-13956

commons-codec:commons-codec@1.10

commons-codec:commons-codec@1.15

Patched

Vulnerabilities were fixed in 1.13, we updated to 1.15.

CVE-2020-9488

log4j 1.2.17

N/A

Log4j is provided by the Atlassian host system with the Atlassian-managed fork of Log4j. We perform all our logging using the Slf4j framework, leaving the log4j API version to the Host system. This will have to be addressed by Atlassian.

CVE-2020-27223, CVE-2021-28163, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428

jetty-http-9.4.35.v20201120
jetty-server-9.4.35.v20201120

org.eclipse.jetty:jetty-server@9.4.44.v20210927

Patched

 

CVE-2021-28165

jetty-io-9.4.35.v20201120

org.eclipse.jetty@9.4.44.v20210927

Patched

 

CVE-2020-15824, CVE-2020-29582

kotlin-stdlib-common@1.4.0

org.jetbrains.kotlin:kotlin-stdlib@1.6.10

Patched