I have this loaded in a two different test environments and can confirm that at least the character combo crashes, checklist errors and tomcat versions have been addressed.
Report back with your findings!
Was there a vulnerability in the Tomcat version?
https://nvd.nist.gov/vuln/detail/CVE-2024-52316
https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
From the Release notes:
The severity is a bit misleading as Apache shows this is low and github and others are classifying as critical.
Thanks for the info. It looks like we won't be affected if we don't use Jakarta Authentication then?
I take that back. 'java.com' will still crash the ticket/session, even if you wrap it in a quote or code block.
Are you getting any CSRF errors with 12.8.4? I'm hoping they resolved this issue in this version.
Yes mine Lab seems to be clean with those now but plenty of "ERROR w.helpdesk.com.macsdesign.whd.daemon - Error while triggering session in com.macsdesign.whd.daemon.ServletPulseDaemon: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetjavax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" still !!
Hmmm... any system crashes or just errors showing in the logs?
No crashes so far, upgraded about 6 hours ago and been pumping various test scenarios through. Errors just being reported in logs just a frequently as the CSRF errors used to show.
Sounds promising! With 12.8.3 HF2(currently) if too many CSRF error happened our system was just hang. Solarwinds don't think that was the issue but that was the only correlation. No CSRF erros no hang lol. The errors would just happen randomly and didn't have this issue with any other version. Welp... Guess I'll give this a shot tonight. Fingers cross everything stay working!
ticket 01819046 opened for this continued character issue.
I would assume as such, but because the method exists in general it may be exploitable whether intentionally used or not.
Everything seems good from my update last night. However, I'm getting session is not valid within a minute of being logged into the helpdesk. I have to keep logging back in. The logs it's saying IP mismatch. Anybody else having this issue?
Are you behind a load balancer/proxy that might dynamically allocate IP addresses?
Yea our site points back to a reverse proxy.
As you came form 12.8.3+HF2 you may have missed this in HF3 which would apply to 12.8.4 as well.
Resolved issue with JVM argument to allow users to opt out of IP binding enforcement.Note: This fix is available in HF3 with the default configuration(no entry in the wrapper_template file).JVM argument to allow users to opt out of IP binding enforcement If you use an AWS load balancer or a sticky session and face an issue with session logout/termination and an error message
Terminating the Session due to IP mismatch or Session is not valid, follow the instructions below and add the required configuration file.For Windows:1. Navigate to the <WebHelpDesk>/bin/wrapper/conf directory.2. Open the wrapper_template.conf file in a text editor and search for# Java Additional Parameters.3. Add the below configuration at the end of the list and update theconfiguration no if required.wrapper.java.additional.20=-DskipIpBindingWithSession=true4. Save and close the wrapper_template.conf file.
Thanks Pabely! Do you if I need to reboot the helpdesk server after applying these changes?
Definitely yes. Any changes to the wrapper files require a reboot.
That worked! Much appreciated!
Our upgrade to v12.8.4 seems to be fine, but I do notice the Lic appearing to auto-activating nightly. Also weird that the Lic number references are nothing like our actual Lic in Setup > General > License. So I'm guessing it is some sort of distraction and just rubbish data triggering a false notification perhaps when daily for the expiry of the License???
We're getting the same repetitive messages about licensing so I presume it's a bug. Isn't this so much fun! We should get an award for enduring all the fun!
Hi, we use WHD on a Linux server.
I upgraded from 12.8.3+HF3 to 12.8.4 and now i get an error when i click on FAQs. 'Something went wrong'.
I already have created a case (01824266)
I have not experienced this issue, what did the support say?
Last friday, support said:
I checked your logs, and there are a lot of database-related issues that appear. I think it would be best if we reinstall your WHD and restore from a database. Ref: Back up and restore the PostgreSQL database using the command line in Web Help Desk (WHD)
I have the same problem on our WHD Linux testserver as on our WHD Linux production server.
Now i will create a 3rd Linux server where Solarwinds will install WHD in a remote session
Just for context, which flavor of Linux are you using?
Does anybody know the csrf headers that the webhelpdesk uses? We are behing a reverse proxy and keep getting "csrf token not found to compare errors". Trying to resolve this issue that has been a pain. Thanks!
Testing has gone fairly well on our test platform...EXCEPT for OAuth for outgoing M365 email. I was under the impression that this was fixed for x.8.4, but apparently not.
Hi jholzhey_bu , can u please raise support ticket for the OAuth for outgoing mail -since we have fixed the issue. Thanks
We have implemented this by adding relevant permissions into the EntraID Registered App which is currently used for the Inbound Mail via OAUTH and it seems to work well.
Submitted a ticket yesterday. Support got back to me asking if we had created a new client secret. We didn't, but didn't know that could be an issue. The incoming mail, which uses the same account, using OAuth, is working fine. Waiting on their follow-up to that information.
I had to create a new secret because I did not have a record of the existing one (going back into EntraID it does not show it anymore).
I validated the Inbound connection with the new secret then used same details for the Outbound, validated and it was all good.
Obviously the new permission was added to Graph for "Mail.Send".
OK, thanks! That gives me hope!
Did you get a solution for this reported issue on your two Servers?
Hi,
same error here - after update from 12.8.3+HF3 to 12.8.4
alma linux 5.14.0-503.21.1.el9_5.x86_64
which is interest - for the clients, their FAQ page is working - just limited - of course - for their FAQs
if I switch from my tech user to Client user - it's working for me too on those pages - also just limited
what we recognized is that, after looking at the logs I can see an issue which may be releated:
It appears to be wanting to call a Java component jabsorb.jar but it cannot find this.Due to an error in the WHD12.8.4 build this was omitted from the folder {webhelpdesk}\bin\webapps\helpdesk\WEB-INF\lib
we put it back from a backup, but not helped
Just realized we're seeing the exact same on both Prod and Test. Disabled auto-activate simply to avoid the message altogether, but this does give us one more thing to do manually at re-up time. Anyone submit a ticket for it?
Yes already have a case with Support and it has been acknowledged as a bug to be fixed in the upcoming 12.8.5 release.
SW asked to re-install WHD from zero to our linux,
we did it - same error - FAQ page is still not working
version is the latest: 12.8.4 - Build #12.8.4.628
also we've got the "new license" messages issue too - every day 1 msg
I also encountered a similar problem, but in the latest version 12.8.5, this jar package was not added back. Instead, there was a bug fix to delete this dependency (01835837)
and the FAQ problem is fixed? (under linux?)
Please raise support ticket
