released April 2022
Java Security update 1.8.0_332
MSS contains the Thymeleaf library but it is not affected by the vulnerability reported in CVE-2021-43466. Nonetheless, in MSS 126.96.36.199, the Thymeleaf library was updated to a version where the reported vulnerability has been mitigated.
released February 2022
Updated log4j library to version 2.17.1 to mitigate CVE-2021-44832
Java Security update 1.8.0_322
Updated Apache Tomcat to v9.0.56
released December 2021
Updated log4j library to version 2.17.0 to mitigate CVE-2021-45105
released December 2021
Updated log4j library to version 2.16.0 to mitigate CVE-2021-44228 and CVE-2021-45046
released September 2021
All releases are cumulative, and contain the features introduced in earlier releases, including the version 13.1 updates.
TLS 1.3 connections
TLS 1.3 is now supported and enabled. Other TLS settings are available and vary with the type of connection being configured.
From the Reflection for the Web client to the host: None, TLS 1.3, TLS 1.2, or a range.
From Reflection for the Web client to MSS 12.8: TLS 1.3.
Refer to your browser’s documentation to ensure that TLS 1.3 is supported.
From the Reflection for the Web client to the MSS Security Proxy Server: TLS 1.3, TLS 1.2, or a range.
NOTE: TLS 1.0 is no longer supported
When upgrading, any Reflection for the Web sessions that previously had TLS 1.0 selected will be automatically updated to the range of TLS 1.3, TLS 1.2. Otherwise previous settings may remain intact.
TLS display in status bar
The Reflection for the Web status bar displays the configured TLS version and its historical identification in parentheses, such as TLSv1.3 (3.4) 128-bit AES SHA2. The historical version, (3.4) in this example, will likely be removed in a future release.
Assigned Sessions List
Beginning with version 13.2 (MSS 12.8), Reflection for the Web sessions are launched using the HTML-based MSS Assigned Sessions List, which requires the Reflection for the Web Launcher.
These technologies replace the Oracle JRE and the JRE’s browser plug-in, thereby enabling you to stay current with security updates while removing the need to pay Oracle for licensing.
Ability to centrally manage networking settings for the Reflection for the Web Launcher
Use the provided Reflection for the Web Installation Guide.along with technology to manage networking settings, such as those for a web proxy. For more information, see the
Note: When upgrading the Reflection for the Web product, you must also update the .
Support for SAML authentication using MSS
Updated JRE (Azul OpenJDK) to 1.8.0_302 in the RWeb Launcher and RWeb standalone. MSS also uses this version.
Updated Apache Tomcat to v9.0.52
Reflection for the Web includes Host Access Management and Security Server (MSS) to create, manage, and secure your host sessions. Versions must be compatible to implement security updates and other integrated functions.
When upgrading, be sure these components are updated to compatible versions:
Management and Security Server (MSS) 12.8: installed with Reflection for the Web 13.2
The Reflection for the Web automated installer provides the option to install both products as a chained installation.
Reflection for the Web Launcher: same version as the Reflection for the Web product (13.2)
See the Reflection for the Web Installation Guide for details about installing and distributing the Reflection for the Web Launcher.
Security Proxy: same <major>.<minor>.<update> version as MSS (12.8.<n>)
For information about using Management and Security Server, see the MSS Administrator Guide.
Some new features require a new way of working with Reflection for the Web. Check the list to see which features have changed in Reflection for the Web version 13.2 (MSS 12.8) and higher.
Ability to launch RWeb sessions using the Instead, use the Reflection for the Web Launcher.has been deprecated.
The Reflection for the Web MSS Assigned Sessions list.has been replaced with the
Ability to define and use(templates) has been removed.
Ability to specify the codebase and pluginspage attributes for the Object tag has been removed.
Ability to specifyfor the Reflection for the Web Launcher has been removed.
All Reflection for the Web sessions are now launched using the MSS Assigned Sessions list or by launching an *.MFJNLP file directly. This change includes the localized strings for the RWeb Launcher landing page.
Ability to configure and use Instead, individual sessions can be launched directly using a session link.has been removed.
Ability to configure and use Instead, all sessions are now framed.is no longer supported.
are no longer supported.
since Reflection for the Web 13.1 Hotfix 7:
Download clutter from the browser's caching of MFJNLP files has been resolved.
General issues surrounding Web Proxy support have been resolved.
For HP emulation, the destructive backspace now works correctly.
When using the Reflection for the Web Launcher, language selection now works correctly.
In the RWeb SDK, the keystoreLocation property now correctly reads the new BCFKS keystores.
If you encounter an issue in Reflection for the Web, contact Customer Support for assistance.
Long delays seen on headless platforms, particularly during installation or at product runtime, when using the RWeb SDK.
In some environments, such as headless server-based installations, cryptographic operations can strain the Java Virtual Machine's entropy source. An insufficient pool of entropy can result in long delays during server startup and at other times while additional entropy is collected.
To remedy the issue: Install either a hardware-based random number generator or a software-based entropy daemon, such as Haveged or Rng-tools. Note: Some platforms already install and enable an entropy service by default.
For more information, see the Knowledge base article, Ensuring Sufficient Entropy.
The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.
When you run an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 13.2.
Please contact Micro Focus or your authorized reseller to obtain the full-use version of the software.
Support resources include Knowledge Base articles and Contact Support information.
Reflection for the Web Documentation:
Management and Security Server (MSS) Documentation:
© Copyright 2022 Micro Focus or one of its affiliates.
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.