BigMemory Max 4.4 Release Notes and Notifications
BigMemory Max delivers ultrafast access to hundreds of terabytes of in-memory data. BigMemory snaps into enterprise applications to deliver unmatched performance at any scale.
BigMemory Max supports a distributed in-memory data-storage topology, which enables the sharing of data among multiple caches and in-memory data stores in multiple JVMs. It uses a Terracotta Server Array to manage data that is shared by multiple application nodes in a cluster.
The Ehcache 2.x API can be used with BigMemory Max 4.x as a general-purpose cache/in-memory data store or a second-level cache for Hibernate. You can additionally integrate it with third-party products such as ColdFusion, Google App Engine, and Spring.
Document Contents
Current Release
BigMemory Max 4.4.0 (October 2022) is the latest release. It includes Ehcache 2.11.
Fixes are cumulative from version to version.
Deprecation Notice: As previously announced in February 2020, as of October 2021, the BigMemory WAN Replication module and Web Sessions products have been deprecated and are no longer distributed or updated as part of BigMemory products (any/all versions).
Feature Highlights
BigMemory Max 4.4.0 introduced the following new capabilities:
- Support for Java 11
- Support for RedHat EL9 (server)
- Support for Windows Server 2022
- Provide logs in JSON format for better searchability and performance
- Docker images with Logging as a service (LaaS) support
- Voter process now available with Docker image
- Various bug fixes and security fixes
- Contains all features and functionality included in BigMemory Max 4.3.x
Summary of Changes 4.4
4.4.0.1
- Release Date: 2022/11/04
- Resolved
- none
- Security Updates to Third Party Libraries
- [TAB-8200] Reflected Cross-Site Scripting
- [TAB-8202] Improper Error Handling
- [TAB-8203] Banner Grabbing
- [TAB-8204] Server-side request forgery
- [TAB-8241] Vulnerable 3rd Party Component Shiro used
- [TAB-8226] Vulnerable 3rd Party Component Jackson Databind used
4.4.0.2
- Release Date: 2022/12/30
- Resolved
- [TAB-8263]TMC shows blank page after installing Terracotta upgrade
- [TAB-8261] Ascending function not working in terracotta query while fetching data.
- Security Updates to Third Party Libraries
- none
4.4.0.3
- Release Date: 2023/02/10
- Resolved
- none
- Security Updates to Third Party Libraries
- [TAB-8280] Vulnerable 3rd Party Component shiro-core and jackson-databind updated
4.4.0.4
- Release Date: 2023/07/12
- Resolved
- Update file containing docker image 3rd party components
- Security Updates to Third Party Libraries
- [TAB-8393] CVE updates of json-smart
- [TAB-8384] Vulnerable 3rd party component Guava updated
- [TAB-8363] Vulnerable 3rd party component Eclipse-Jetty updated
- Multiple 3rd party library updates
- jetty 10.0.15
- jackson-databind 2.15.2
- jersey 2.39.1
- guava 32.0.1-jre
- csrfguard 4.3.0
- logback 1.2.12
- hamcrest 2.2
- commons-io 2.13.0
- jaxb-runtime 2.3.8
4.4.0.5
- Release Date: 2023/08/11
- Resolved
- none
- Security Updates to Third Party Libraries
- [TAB-8435][TAB-8436] Vulnerable 3rd party component Shiro updated
- Other 3rd party library updates
- guava
- commons-codec
- commons-lang3
- jersey
4.4.0.6
- Release Date: 2023/10/04
- Resolved
- [TAB-8276] Fix ConcurrentModificationException at org.terracotta.offheapstore.disk.storage.FileBackedStorageEngine.getOccupiedMemory
- Security Updates to Third Party Libraries
- [TAB-8485] Vulnerable 3rd party component Eclipse Jetty updated to 10.0.16
4.4.0.7
- Release Date: 2023/10/24
- Resolved
- none
- Security Updates to Third Party Libraries
- Third-party library upgrades:
- jetty to 10.0.17
- jackson to 2.15.3
- guava to 32.1.3-jre
- commons-io to 2.14.0
- rest-assured to 5.3.2
- Third-party library upgrades:
4.4.0.8
- Release Date: 2023/12/22
- [TAB-8521] Secure Setting on cookies from TMS
- [TAB-8522] Disable additional set of ciphers in TMS that are now considered weak
- [TAB-8523] Enforce more strict password policy for strong passwords
- [TAB-8288] Disallow HTTP v 1.0 protocol to TMS
4.4.0.9
- Release Date: 2024/02/03
- Resolved
- [TAB-8544] The behavior of server-stat has changed after installing 4.4.0 Fix7
- Security Updates to Third Party Libraries
- [TAB-8524] Http Security headers missing
- [TAB-8529] High severity vulnerablity in logback found in terracotta-toolkit-runtime-ee-4.4.0.7.7.jar
- [TAB-8537] Vulnerable 3rd party component logback used
- [TAB-8550] Vulnerable 3rd party component shiro used
- [TAB-8556] Vulnerable 3rd party component logback-core used
- Third-party library upgrades:
- bytebuddy 1.14.11
- byteman 4.0.22
- commons-cli 1.6.0
- commons-logging 1.3.0
- guava 33.0.0-jre
- jackson 2.16.1
- jaxb-runtime 2.3.9
- jersey 2.41
- jetty 10.0.19
- logback 1.2.13
- rest-assured 5.4.0
- shiro 1.13.0
4.4.0.10
- Release Date: 2024/02/23
- Resolved
- none
- Security Updates to Third Party Libraries
- [TAB-8673] Vulnerable 3rd party component json-path used
- Third-party library upgrades:
- json-path updated to 2.9.0
4.4.0.11
- Release Date: 2024/03/23
- Resolved
- none
- Security Updates to Third Party Libraries
- [TAB-8727] Vulnerable 3rd party component eclipse-jetty used
- Third-party library upgrades:
- eclipse-jetty updated to 10.0.20
Notes
- Terracotta BigMemory 4.x and Terracotta 10.x clients may be used simultaneously in the same application by ensuring ClassLoader isolation when initializing at least one of the clients.
Important Upgrade Information
The following information is contained in the readme.txt file included with each fix release and should be reviewed prior to applying any fix.
8.0 Installation
8.1 Shut down the server array. A safe shutdown procedure is as follows.
a. Shut down the mirror servers using the stop-tc-server script.
If you are using a wrapper solution to manage the mirror servers, execute
the wrapper shut down command to shut down the mirror servers instead of
using the stop-tc-server script.
b. Shut down the clients. A Terracotta client will shut down when you shut
down your application.
c. Shut down the active servers using the stop-tc-server script.
If you are using a wrapper solution to manage the servers, execute the
wrapper shut down command to shut down the servers instead of using the
stop-tc-server script.
8.2 This fix overwrites server scripts,wrapper configuration files and default
tc-config.xml. If you have any custom settings defined on those files
(ex:MaxDirectMemorySize), then you need to restore those settings back after
applying the fix.
8.3 Install the fix using the Software AG Update Manager.
For instructions, see Using the Software AG Update Manager located either in
the _documentation directory or on the documentation Web site at
http://documentation.softwareag.com.
8.4 The upgrade of the 3rd party library Shiro may create an issue for some users
that will require a manual configuration change to the "shiro.ini" found in
the ".tc/mgmt" directory of the user's home folder (the user that the TMS/TMC
process runs as ~/.tc/mgmt/shiro.ini). Edit this file and restart the
TMS/TMC.
a. Blank browser page or a message from the browser indicating too many
redirects, or similar.
In [urls] section of file ~/.tc/mgmt/shiro.ini, locate the line in the
that reads "/login.jsp = authc". Immediately above that line add the three
following lines:
/401.jsp = anon
/403.jsp = anon
/404.html = anon
In the [main] section of file ~/.tc/mgmt/shiro.ini, add the following
line:
[main]
shiro.filterOncePerRequest=true
b. URLs containing semi-colon are blocked and 400 client error is thrown.
In the [main] section of file ~/.tc/mgmt/shiro.ini, add the following two
lines to the top of the section:
[main]
invalidRequest = org.apache.shiro.web.filter.InvalidRequestFilter
invalidRequest.blockSemicolon = false
9.0 Uninstallation
9.1 Shut down the server array. A safe shutdown procedure is as follows.
a. Shut down the mirror servers using the stop-tc-server script.
If you are using a wrapper solution to manage the mirror servers, execute
the wrapper shut down command to shut down the mirror servers instead of
using the stop-tc-server script.
b. Shut down the clients. A Terracotta client will shut down when you shut
down your application.
c. Shut down the active servers using the stop-tc-server script.
If you are using a wrapper solution to manage the servers, execute the
wrapper shut down command to shut down the servers instead of using the
stop-tc-server script.
9.2 Uninstall the fix using the Software AG Update Manager.
For instructions, see Using the Software AG Update Manager.
NOTE: This uninstall procedure can only be used to uninstall the most recently
installed fix. This action will revert your installation to the previously
installed fix. You cannot apply this uninstall procedure to the previously
installed fix.