Released: Dec 15, 2021

CVE2021-44228 and the subsequent CVE-2021-45046

This is our second release due to the Log4Shell vulnerability. While on Monday, the Dec 13, 2021 Log4j 2.15 seemed to be the solution, soon after a new version was released to avoid RCE in certain non-default configurations.

We therefore implement the latest version to be on the safe side, although or investigation still comes to the conclusion that Portrait was not at risk.

As announced in the Portrait 4.0.1 release notes, Elasticsearch was updated to profit from their optimizations.

Backend

Updated Spring Boot to 2.5.7 and log4j to 2.16.

Index

Updated and integrated Elasticsearch to 7.16.1.

You need to manually update the tag from 7.13.0 to 7.16.1 in your docker-compose file. Example:
image: docker.elastic.co/elasticsearch/elasticsearch:7.16.1

ELO connection configuration

Due to the new release-strategy, it is no longer feasible to define the name and the version inside each ELO connection. The setting appVersion, appName and computerName was removed from the ELO connection config.

Old:

    - id: Repository
      type: ELO
      name: Repository
      username: Administrator
      password: 'qwerty'
      computerName: portraitserver
      runAs:
      url: 'http://eloserver:9090'
      path: '/ix-Repository/ix'
      appName: Portrait
      appVersion: 4.0.1

New:

    - id: Repository
      type: ELO
      name: Repository
      username: Administrator
      password: 'qwerty'
      runAs:
      url: 'http://eloserver:9090'
      path: '/ix-Repository/ix'

This is not a breaking change, no manual update of the application.yml file needed.

Portrait - 7.x

Portrait 4.0.2

CVE2021-44228 and the subsequent CVE-2021-45046

Backend

Index

ELO connection configuration