Portfolio 3.6.3 and 4.0 were found to have a java reflection security issue that affected our Web Client scripting engine: CVE-2022-24252.
We resolved the issue in Portfolio 4.0.1 by disallowing the scripting engine from having read, write, and class loading access to specific locations and libraries.
This has the undesirable side effect of causing some Web Client scripts to fail when they are run.
If you find you have vital scripts that don’t run because of this update, you can enable scripting access to the restricted locations.
While cumbersome, it is possible to disable the security update, run the required scripts, then re-enable the update.
Enable scripting access on Windows Server
Open a Command Prompt or PowerShell window with Admin privileges.
In the Command Prompt window, type
notepad "%ProgramData%\Extensis\Portfolio Server\.preferences"
In the PowerShell window, type
notepad "$Env:ProgramData\Extensis\Portfolio Server\.preferences"
This will open the
.preferencesfile in Notepad.
Scroll to the end of the file and on a new line, type
then press Enter.
Press Ctrl-S to save the file, then exit Notepad.
Close the Command Prompt or PowerShell window.
Restart Portfolio for the change to take effect.
Enable scripting access on Macintosh
Open Terminal and type
pico /Library/Application\ Support/Extensis/Portfolio\ Server/.preferencesthen press Return.
This opens the
.preferencesfile in the pico editor.
Press Ctrl-V until the block cursor is on a new line at the end of the file (press Return if necessary to get an empty line).
server.scripting.allow.java.reflection=trueand press Return.
Press Ctrl-O then press Return to save the file.
Once the file is saved, press Ctrl-X to exit the pico editor.
Quit Terminal, then restart Portfolio for the change to take effect.