released April 2024
Java Security update 1.8.0_412
Updated Spring to version 5.3.34 for the Reflection for the Web standalone installation to mitigate vulnerabilities in previous versions
released January 2024
Java Security update 1.8.0_402
Updated Tomcat to 9.0.75
Updated Spring to 5.3.29
Updated third-party libraries to address security issues and bug fixes
released November 2023
Java Security update 1.8.0_392
Updated Bouncy Castle cryptography libraries
Installer binaries are now signed using SHA-2
released September 2023
Java Security update 1.8.0_382
released April 2023
Java Security update 1.8.0_372
Apache commons-fileupload
If you are using the RWeb SDK, note that wrqtls12.jar has been renamed to wrqtls12-12.1.1.jar.
For any application that uses the RWeb SDK, you will need to update any CLASSPATH references accordingly.
released February 2023
Java Security update 1.8.0_362
When the Oracle Java Browser plug-in is used to launch Reflection for the Web — and the Java version is newer than October 2022 — some cryptographic operations will fail due to new constraints imposed by Java. Features adversely affected include X.509 authentication and OCSP. For more information, contact Customer Support.
If you use a multi-server installation (where MSS is hosted on a different machine than Reflection for the Web), on some networks it may be necessary to add a reference to MSS that refers to the Reflection for the Web server. To add a reference:
Open and edit MSSData\serverconfig.props.
Add a new property named RWebHost with a URL value that refers to the Reflection for the Web hostname and context value of /rweb-client.
Note: The URL must be formatted as a Java Properties value, which includes colons that are escaped.
Example: RWebHost=https\://hostname\:443/rweb-client
released November 2022
Updated Spring to version 5.3.23 for the Reflection for the Web standalone installation to mitigate vulnerabilities in lower versions
Java Security update 1.8.0_352
Contact Customer Support for assistance to mitigate the following vulnerabilities in Management and Security Server (MSS):
Apache commons-text CVE-2022-42889
Apache shiro-core CVE-2022-40664
JXPath CVE-2022-41852
released July 2022
Java Security update 1.8.0_342
released April 2022
Java Security update 1.8.0_332
released February 2022
Updated log4j library to version 2.17.1 to mitigate CVE-2021-44832, CVE-2021-45105, CVE-2021-44228, and CVE-2021-45046
Java Security update 1.8.0_322
released October 2021
Java Security update 1.8.0_312
released July 2021
Java Security update 1.8.0_302
released May 2021
Java Security update 1.8.0_292
Updated Apache Tomcat HTTP components
released January 2021
Java Security update 1.8.0_282
Updated Apache Tomcat to v9.0.39 for the remote/stand-alone installation of Reflection for the Web
released October 2020
Java Security update 1.8.0_272
Updated Tomcat, Spring, and Jackson libraries to the latest available security release for the remote/stand-alone installation of Reflection for the Web.
Added Reflection for the Web Launcher installers to the rweb-client.war file.
released September 2020
Resolved an HP emulation issue where a Host-initiated backspace incorrectly deletes screen content when the destructive backspace is enabled on the user's keyboard.
released July 2020
Java Security update 1.8.0_262
released June 2020
The keystoreLocation parameter correctly resolves the location of the private key and trust stores, when using the Reflection for the Web SDK.
released May 2020
All releases are cumulative, and contain the features introduced in earlier releases. See what’s new since version 13.0
The Reflection for the Web Launcher eliminates the requirement for Oracle Java and the Netscape Plugin API (NPAPI) for both administrators and end users.
Administrators: Session management in the MSS Administrative Console no longer requires Oracle Java or the NPAPI. Sessions can be created and edited using the Reflection for the Web Launcher.
End Users: Since version 13.0, workstations no longer require Oracle Java or the NPAPI to launch sessions.
When sessions are launched using the Reflection for the Web Launcher, a warning dialog is presented when the Links List Applet is closing and emulator sessions are still open, providing the user with the opportunity to abort the closure operation.
When an individual session is launched directly using the Reflection for the Web Launcher, a second window may appear for authentication purposes. Once authentication succeeds, the second window is automatically hidden.
Added a Windows shortcut for the Reflection for the Web Launcher Settings application, which provides configuration of the Reflection for the Web Launcher.
Updated Management and Security Server (MSS) to version 12.6 SP1, which is required to manage and secure your Reflection for the Web sessions.
Updated Apache Tomcat to v9.0.33 for the remote/stand-alone installation mode
Updated Java to the latest available security release: OpenJDK 1.8.0_252
Removed Apache Struts dependency. Reflection for the Web is now a Struts-free product.
since Reflection for the Web 13.0 Hotfix 5
Resolved Security Vulnerability: CVE-2020-1938. See 7024547 for details.
When using the Reflection for the Web Launcher, you can use:
– the custom protocol named mfjnlp
– authentication via smart-card based certificates
– transparent authentication via Windows Single Sign-On
– Metering via HTTPS
The Links List displays only Reflection for the Web session types.
Improved support for web proxies.
Restored the ability to generate static HTML for Reflection for the Web sessions in the MSS Administrative Console.
Resolved the opening of embedded sessions in multiple tabs of the browser.
A 500 error may be reported by the server when the Display Links List button is pressed when a session is launched directly.
Workaround: Refresh the browser page.
The upgrade process varies depending on the version you are upgrading from. For more information, refer to the Reflection for the Web Installation Guide - Upgrading.
The Reflection for the Web automated installer provides the option to install/upgrade both Reflection for the Web and the compatible version of MSS. Versions must be compatible to implement security updates and other functions.
Check to be sure these versions are compatible.
Reflection for the Web Launcher
When you upgrade Reflection for the Web, be sure to install the latest Reflection for the Web Launcher to be able to manage (Add or Edit) sessions in the MSS Administrative Console.
To update the Launcher, click DOWNLOAD when you launch a Reflection for the Web session, and run the installation wizard. See Installing the Reflection for the Web Launcher in the MSS Installation Guide.
MSS Add-on Products
The Security Proxy (or any MSS Add-on product) must be the same <major>.<minor>.<update> version as Management and Security Server (MSS). For example, when you upgrade to Reflection for the Web 13.1, which uses MSS version 12.6 SP1, be sure to upgrade the Security Proxy to version 12.6 SP1.
See the MSS Installation Guide -Upgrading for assistance.
When you run an evaluation copy, the product will be fully functional for 120 days. During that time you can install, configure, and test Reflection for the Web version 13.1.
Follow the installation steps in the Reflection for the Web Installation Guide, and then walk through the evaluation scenario presented in Evaluating Reflection for the Web.
Please contact Open Text or your authorized reseller to obtain the full-use version of the software.
Security Updates:
Support Resources
Support resources include Knowledge Base articles and Contact Support information.
Reflection for the Web Documentation:
Reflection for the Web Installation Guide
Reflection for the Web Reference Guide, includes:
Management and Security Server (MSS) Documentation:
MSS 12.6 SP1 Installation Guide
MSS 12.6 SP1 Administrator Guide (online Help)
© 2024 OpenText
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.