Reflection for the Web - Release Notes

April 2024

1.0 Version 13.1 Hotfix 18

released April 2024

  • Java Security update 1.8.0_412

  • Updated Spring to version 5.3.34 for the Reflection for the Web standalone installation to mitigate vulnerabilities in previous versions

1.0 Version 13.1 Hotfix 17

released January 2024

  • Java Security update 1.8.0_402

  • Updated Tomcat to 9.0.75

  • Updated Spring to 5.3.29

  • Updated third-party libraries to address security issues and bug fixes

2.0 Version 13.1 Hotfix 16

released November 2023

  • Java Security update 1.8.0_392

  • Updated Bouncy Castle cryptography libraries

  • Installer binaries are now signed using SHA-2

3.0 Version 13.1 Hotfix 15

released September 2023

  • Java Security update 1.8.0_382

4.0 Version 13.1 Hotfix 14

released April 2023

  • Java Security update 1.8.0_372

  • Apache commons-fileupload

  • If you are using the RWeb SDK, note that wrqtls12.jar has been renamed to wrqtls12-12.1.1.jar.

    For any application that uses the RWeb SDK, you will need to update any CLASSPATH references accordingly.

5.0 Version 13.1 Hotfix 13

released February 2023

  • Java Security update 1.8.0_362

5.1 Known issues

  • When the Oracle Java Browser plug-in is used to launch Reflection for the Web — and the Java version is newer than October 2022 — some cryptographic operations will fail due to new constraints imposed by Java. Features adversely affected include X.509 authentication and OCSP. For more information, contact Customer Support.

  • If you use a multi-server installation (where MSS is hosted on a different machine than Reflection for the Web), on some networks it may be necessary to add a reference to MSS that refers to the Reflection for the Web server. To add a reference:

    1. Open and edit MSSData\serverconfig.props.

    2. Add a new property named RWebHost with a URL value that refers to the Reflection for the Web hostname and context value of /rweb-client.

      Note: The URL must be formatted as a Java Properties value, which includes colons that are escaped.

      Example: RWebHost=https\://hostname\:443/rweb-client

6.0 Version 13.1 Hotfix 12

released November 2022

  • Updated Spring to version 5.3.23 for the Reflection for the Web standalone installation to mitigate vulnerabilities in lower versions

  • Java Security update 1.8.0_352

  • Contact Customer Support for assistance to mitigate the following vulnerabilities in Management and Security Server (MSS):

    • Apache commons-text CVE-2022-42889

    • Apache shiro-core CVE-2022-40664

    • JXPath CVE-2022-41852

7.0 Version 13.1 Hotfix 11

released July 2022

  • Java Security update 1.8.0_342

8.0 Version 13.1 Hotfix 10

released April 2022

  • Java Security update 1.8.0_332

9.0 Version 13.1 Hotfix 9

released February 2022

  • Updated log4j library to version 2.17.1 to mitigate CVE-2021-44832, CVE-2021-45105, CVE-2021-44228, and CVE-2021-45046

  • Java Security update 1.8.0_322

10.0 Version 13.1 Hotfix 8

released October 2021

  • Java Security update 1.8.0_312

11.0 Version 13.1 Hotfix 7

released July 2021

  • Java Security update 1.8.0_302

12.0 Version 13.1 Hotfix 6

released May 2021

  • Java Security update 1.8.0_292

  • Updated Apache Tomcat HTTP components

13.0 Version 13.1 Hotfix 5

released January 2021

  • Java Security update 1.8.0_282

  • Updated Apache Tomcat to v9.0.39 for the remote/stand-alone installation of Reflection for the Web

14.0 Version 13.1 Hotfix 4

released October 2020

  • Java Security update 1.8.0_272

  • Updated Tomcat, Spring, and Jackson libraries to the latest available security release for the remote/stand-alone installation of Reflection for the Web.

  • Added Reflection for the Web Launcher installers to the rweb-client.war file.

15.0 Version 13.1 Hotfix 3

released September 2020

Resolved issue:

  • Resolved an HP emulation issue where a Host-initiated backspace incorrectly deletes screen content when the destructive backspace is enabled on the user's keyboard.

16.0 Version 13.1 Hotfix 2

released July 2020

  • Java Security update 1.8.0_262

17.0 Version 13.1 Hotfix 1

released June 2020

Resolved issue:

  • The keystoreLocation parameter correctly resolves the location of the private key and trust stores, when using the Reflection for the Web SDK.

18.0 Version 13.1

released May 2020

18.1 What’s New in 13.1

All releases are cumulative, and contain the features introduced in earlier releases. See what’s new since version 13.0

New Features

  • The Reflection for the Web Launcher eliminates the requirement for Oracle Java and the Netscape Plugin API (NPAPI) for both administrators and end users.

    • Administrators: Session management in the MSS Administrative Console no longer requires Oracle Java or the NPAPI. Sessions can be created and edited using the Reflection for the Web Launcher.

    • End Users: Since version 13.0, workstations no longer require Oracle Java or the NPAPI to launch sessions.

  • When sessions are launched using the Reflection for the Web Launcher, a warning dialog is presented when the Links List Applet is closing and emulator sessions are still open, providing the user with the opportunity to abort the closure operation.

  • When an individual session is launched directly using the Reflection for the Web Launcher, a second window may appear for authentication purposes. Once authentication succeeds, the second window is automatically hidden.

  • Added a Windows shortcut for the Reflection for the Web Launcher Settings application, which provides configuration of the Reflection for the Web Launcher.

  • Updated Management and Security Server (MSS) to version 12.6 SP1, which is required to manage and secure your Reflection for the Web sessions.

Third-party software changes

  • Updated Apache Tomcat to v9.0.33 for the remote/stand-alone installation mode

  • Updated Java to the latest available security release: OpenJDK 1.8.0_252

  • Removed Apache Struts dependency. Reflection for the Web is now a Struts-free product.

18.2 Resolved issues

since Reflection for the Web 13.0 Hotfix 5

  • Resolved Security Vulnerability: CVE-2020-1938. See 7024547 for details.

  • When using the Reflection for the Web Launcher, you can use:

    – the custom protocol named mfjnlp

    – authentication via smart-card based certificates

    – transparent authentication via Windows Single Sign-On

    – Metering via HTTPS

  • The Links List displays only Reflection for the Web session types.

  • Improved support for web proxies.

  • Restored the ability to generate static HTML for Reflection for the Web sessions in the MSS Administrative Console.

  • Resolved the opening of embedded sessions in multiple tabs of the browser.

18.3 Known issue

  • A 500 error may be reported by the server when the Display Links List button is pressed when a session is launched directly.

    Workaround: Refresh the browser page.

19.0 About Upgrading

The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide - Upgrading.

The Reflection for the Web automated installer provides the option to install/upgrade both Reflection for the Web and the compatible version of MSS. Versions must be compatible to implement security updates and other functions.

19.1 Compatibility Requirements

Check to be sure these versions are compatible.

  • Reflection for the Web Launcher

    When you upgrade Reflection for the Web, be sure to install the latest Reflection for the Web Launcher to be able to manage (Add or Edit) sessions in the MSS Administrative Console.

    To update the Launcher, click DOWNLOAD when you launch a Reflection for the Web session, and run the installation wizard. See Installing the Reflection for the Web Launcher in the MSS Installation Guide.

  • MSS Add-on Products

    The Security Proxy (or any MSS Add-on product) must be the same <major>.<minor>.<update> version as Management and Security Server (MSS). For example, when you upgrade to Reflection for the Web 13.1, which uses MSS version 12.6 SP1, be sure to upgrade the Security Proxy to version 12.6 SP1.

    See the MSS Installation Guide -Upgrading for assistance.

20.0 If you are Evaluating

When you run an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 13.1.

Follow the installation steps in the Reflection for the Web Installation Guide, and then walk through the evaluation scenario presented in Evaluating Reflection for the Web.

Please contact Open Text or your authorized reseller to obtain the full-use version of the software.

21.0 Resources

Security Updates:

Support Resources

Support resources include Knowledge Base articles and Contact Support information.

Reflection for the Web Documentation:

  • Reflection for the Web Installation Guide

  • Reflection for the Web Reference Guide, includes:

    • API and Scripting
    • Using ECL
    • Applet Attributes and Parameters
    • HTML Samples
    • Host-initiated RCL Support

Management and Security Server (MSS) Documentation: