released January 2024
Management and Security Server (MSS) was updated to version 12.8.0.8.
Java Security update 1.8.0_402
Updated Tomcat to 9.0.75
Updated Spring to 5.3.29
Updated third party libraries to address security issues and bug fixes
released November 2023
Java Security update 1.8.0_392
Updated Bouncy Castle cryptography libraries
Installer binaries are now signed using SHA-2
released September 2023
Java Security update 1.8.0_382
released April 2023
Java Security update 1.8.0_372
Apache commons-fileupload
If you are using the RWeb SDK, note that wrqtls12.jar has been renamed to wrqtls12-12.1.1.jar.
For any application that uses the RWeb SDK, you will need to update any CLASSPATH references accordingly.
released February 2023
Java Security update 1.8.0_362
If you use a multi-server installation (where MSS is hosted on a different machine than Reflection for the Web), on some networks it may be necessary to add a reference to MSS that refers to the Reflection for the Web server. To add a reference:
Open and edit MSSData\serverconfig.props.
Add a new property named RWebHost with a URL value that refers to the Reflection for the Web hostname and context value of /rweb-client.
Note: The URL must be formatted as a Java Properties value, which includes colons that are escaped.
Example: RWebHost=https\://hostname\:443/rweb-client
released November 2022
Updated Spring to version 5.3.23 for the Reflection for the Web standalone installation to mitigate vulnerabilities in lower versions
Java Security update 1.8.0_352
Updated MSS to version 12.8.0.6, which includes these updates:
released July 2022
Java Security update 1.8.0_342
released April 2022
Java Security update 1.8.0_332
Thymeleaf CVE-2021-43466
MSS contains the Thymeleaf library but it is not affected by the vulnerability reported in CVE-2021-43466. Nonetheless, in MSS 12.8.0.4, the Thymeleaf library was updated to a version where the reported vulnerability has been mitigated.
released February 2022
Updated log4j library to version 2.17.1 to mitigate CVE-2021-44832
Java Security update 1.8.0_322
Updated Apache Tomcat to v9.0.56
released December 2021
Updated log4j library to version 2.17.0 to mitigate CVE-2021-45105
released December 2021
Updated log4j library to version 2.16.0 to mitigate CVE-2021-44228 and CVE-2021-45046
released September 2021
All releases are cumulative, and contain the features introduced in earlier releases, including the version 13.1 updates.
TLS 1.3 connections
TLS 1.3 is now supported and enabled. Other TLS settings are available and vary with the type of connection being configured.
From the Reflection for the Web client to the host: None, TLS 1.3, TLS 1.2, or a range.
From Reflection for the Web client to MSS 12.8: TLS 1.3.
Refer to your browser’s documentation to ensure that TLS 1.3 is supported.
From the Reflection for the Web client to the MSS Security Proxy Server: TLS 1.3, TLS 1.2, or a range.
NOTE: TLS 1.0 is no longer supported
When upgrading, any Reflection for the Web sessions that previously had TLS 1.0 selected will be automatically updated to the range of TLS 1.3, TLS 1.2. Otherwise previous settings may remain intact.
TLS display in status bar
The Reflection for the Web status bar displays the configured TLS version and its historical identification in parentheses, such as TLSv1.3 (3.4) 128-bit AES SHA2. The historical version, (3.4) in this example, will likely be removed in a future release.
Assigned Sessions List
Beginning with version 13.2 (MSS 12.8), Reflection for the Web sessions are launched using the HTML-based MSS Assigned Sessions List, which requires the Reflection for the Web Launcher.
These technologies replace the Oracle JRE and the JRE’s browser plug-in, thereby enabling you to stay current with security updates while removing the need to pay Oracle for licensing.
Ability to centrally manage networking settings for the Reflection for the Web Launcher
Use the provided Windows PowerShell script along with Microsoft Installer (MSI) technology to manage networking settings, such as those for a web proxy. For more information, see the Reflection for the Web Installation Guide.
Note: When upgrading the Reflection for the Web product, you must also update the Reflection for the Web Launcher.
Support for SAML authentication using MSS
Updated JRE (Azul OpenJDK) to 1.8.0_302 in the RWeb Launcher and RWeb standalone. MSS also uses this version.
Updated Apache Tomcat to v9.0.52
Reflection for the Web includes Host Access Management and Security Server (MSS) to create, manage, and secure your host sessions. Versions must be compatible to implement security updates and other integrated functions.
When upgrading, be sure these components are updated to compatible versions:
Management and Security Server (MSS) 12.8: installed with Reflection for the Web 13.2
The Reflection for the Web automated installer provides the option to install both products as a chained installation.
Reflection for the Web Launcher: same version as the Reflection for the Web product (13.2)
See the Reflection for the Web Installation Guide for details about installing and distributing the Reflection for the Web Launcher.
Security Proxy: same <major>.<minor>.<update> version as MSS (12.8.<n>)
For information about using Management and Security Server, see the MSS Administrator Guide.
Some new features require a new way of working with Reflection for the Web. Check the list to see which features have changed in Reflection for the Web version 13.2 (MSS 12.8) and higher.
Ability to launch RWeb sessions using the Oracle Java browser plugin has been deprecated. Instead, use the Reflection for the Web Launcher.
The Reflection for the Web links list has been replaced with the MSS Assigned Sessions list.
Ability to define and use Custom Login pages (templates) has been removed.
Ability to specify the codebase and pluginspage attributes for the Object tag has been removed.
Ability to specify launching modes for the Reflection for the Web Launcher has been removed.
All Reflection for the Web sessions are now launched using the MSS Assigned Sessions list or by launching an *.MFJNLP file directly. This change includes the localized strings for the RWeb Launcher landing page.
Ability to configure and use auto-launched sessions has been removed. Instead, individual sessions can be launched directly using a session link.
Ability to configure and use embedded sessions is no longer supported. Instead, all sessions are now framed.
The Java LiveConnect feature (Java to JavaScript bridge) is no longer supported.
Static unprotected sessions are no longer supported.
since Reflection for the Web 13.1 Hotfix 7:
Download clutter from the browser's caching of MFJNLP files has been resolved.
General issues surrounding Web Proxy support have been resolved.
For HP emulation, the destructive backspace now works correctly.
When using the Reflection for the Web Launcher, language selection now works correctly.
In the RWeb SDK, the keystoreLocation property now correctly reads the new BCFKS keystores.
If you encounter an issue in Reflection for the Web, contact Customer Support for assistance.
Long delays seen on headless platforms, particularly during installation or at product runtime, when using the RWeb SDK.
In some environments, such as headless server-based installations, cryptographic operations can strain the Java Virtual Machine's entropy source. An insufficient pool of entropy can result in long delays during server startup and at other times while additional entropy is collected.
To remedy the issue: Install either a hardware-based random number generator or a software-based entropy daemon, such as Haveged or Rng-tools. Note: Some platforms already install and enable an entropy service by default.
For more information, see the Knowledge base article, Ensuring Sufficient Entropy.
The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide.
Security Updates:
Support Resources
Support resources include Knowledge Base articles and Contact Support information.
Reflection for the Web Documentation:
Reference Guide, which includes:
Management and Security Server (MSS) Documentation:
MSS Administrator Guide (online Help)
© 2024 OpenText
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.