Kofax MarkView 10.2.0 Fix Pack 5

Build Date: January 10, 2023

Introduction

You can install Kofax MarkView 10.2.0.5 to resolve the issues listed below.

Note: Install Kofax MarkView 10.2.0.5 only after a full installation of Kofax MarkView 10.2.0 or on top of any previously installed 10.2.0 fix packs.

For a full product installation, see the Kofax MarkView Installation Guide.

List of Issues Resolved in This Fix Pack

1908989: In mv_document table and other related MarkView tables, document_id values were too large for the column

1901513: When using the latest version of Google Chrome and Microsoft Edge, the Viewer did not always show Quick Info

1837361: Parameter checking added to improve security

1837347: Verification of incoming HTTP request and cookies attribute added to improve security

List of Issues Resolved in Previous Fix Packs

Issues Resolved in Fix Pack 4

1837338: Security Issue: Reflected cross-site scripting (High)

1837327: Security Issue: Blind SQL injection (High)

Issues Resolved in Fix Pack 3

1775786: Viewer does not display all layers of certain PDF files ingested through Import Server

1734105: AUSS experiencing major performance issues with synchronization

1734089: After applying Oracle patch for Log4j vulnerability, MarkView is negatively impacting core Oracle functionality

1700396: Errors When Approving An Invoice Via MarkView Mobile Link

1698723: 500 Internal Server error trying to update or create user record (Also typo 'comor' is being added to url in referrer)

1617511: After setting the preference MVERP_DFM_DEFAULT_AMOUNT to FALSE you can no longer add lines in the viewer

1599476: JBoss failing to start deployments after 10.1.0.3 is applied in SAML environment

1564109: Encountering an issue when coding an invoice with NON billable project coding

1515464: Need to convert the "mvap_ipa_pkg.RefreshPOTables" dbms job to Scheduler job

1447254: The wrong time is saved in the Date of Expenditure field

Issues Resolved in Fix Pack 2

1632114: Customer would like to have an option for MarkView Viewer to disable the delete (and edit) for distribution lines

1604453: Security Assessment - Cross-Site Request Forgery (527036)

1604447: Security Assessment - Privilege Escalation (527133, 527134)

1604440: Security Assessment - Privilege Escalation - Prev Entered Working Folder (527132)

1604438: Security Assessment - Cross-Site Scripting (XSS): Persistent (527049)

1589960: Markup Viewer Tool/Action Icons not displayed in the Viewer

1588877: Enhancement Request to add TLS 1.2 Support for Mail Gateway

1587250: MarkView Workflow Exception: The page needs to be refreshed because user updated the page error caused by mv_document.creation_timestamp updated to batch creation local time

1586839: When adding project details for an invoice line in MarkView, the ap_invoice_distributions_all.PA_ADDITION_FLAG flag in Oracle is not set correctly

1585959: End Users Who Click in Exp Type field without first entering a value in Project field cause a blind query

1584334: Import Server fails to import PDFs with embedded images or signed with Docusign

1583436: MarkView 10.2.0.2 Fix Pack Installer includes an option to select "Install Wildfly"

1580973: Auto escalations not working due to error ORA-01722: invalid number

1580935: User who is not owner experiences long delays opening document in viewer when workitem has had many actions / transitions

1580912: Accounting content does not load after deleting the line

1573032: Double copying occurs when multiple lines are selected using only the left mouse button held down

Issues Resolved in Fix Pack 1

1567860: Account coding - could not code using project details in MarkView Viewer

1567232: Added aliases were not displayed in the table in the Configure Accounting Aliases window

1559632: C&O: Support for RDBMS 19c (19.3) and Windows 2019 was to be added

1559297: The dependency on Oracle Java Advanced Imaging (JAI) was eliminated

1556527: Upgrading to MarkView 10.2 in an environment without Document Library resulted in broken packages MV_ADMIN_EXP_SERVER and MV_ADMIN_EXP_QUEUE

1554640: The httpclient library included vulnerabilities

1553594: Opening MV Home in the Chrome browser caused an error due to unacceptable characters in the input

1553592: GL Accounts could not be ordered by frequently or recently used

1547577: R12 Tax Field - MV Tax Regime LOV values were not similar to Oracle LOV values

1545503: When a user had an alternate user and then their work items were reassigned to a third user, that user could not save accounting line data after editing

1540323: MarkView users could not copy information from tables in Viewer

1538782: KTM Validation screen 'Match Receipt Lines' was showing the Fully Invoiced Releases

1538778: KTM Validation screen 'Match Receipt Lines' was showing 'CLOSED' releases

1538736: Invoices with 'Misc Costs' in their amount after the queue 'Waiting for Interface Processing' got stuck in 'Interface Processing Error'

1530143: AUSS was running slowly

1530138: An error handling vulnerability was detected

1530135: The jQuery library included vulnerabilities

1530087: Support for SAML using SHA256 was to be added

1530084: Users with the LOCALE_de group assigned could not assign an alternate user

1530080: When entering an OU into the invoice workbench in R12, after clicking Get Next an error was thrown

1530077: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the SFXRTINV form in Oracle Apps as that user

1530074: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the SFXPNDQS form in Oracle Apps as that user

1530071: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the Workflow Role Select form in Oracle Apps as that user

1530068: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the SFXWKFDR form in Oracle Apps as that user

1524675: Barcode Server and Mail Gateway did not support ODAC 19

1488665: The bcprov-ext-jdk15on library included vulnerabilities

1488622: The log4net library included vulnerabilities

Applies To

This fix pack is based on Kofax MarkView for Accounts Payable 10.2.0.

Only apply this fix pack to the MarkView 10.2.0 application server; do not run the fix pack installer on a MarkView Oracle Objects installation or on a Kofax Capture Output installation.

Verify that the version of all installed MarkView components (such as Self-Service Invoices, Document Library, Expenses) is 10.2.0.

For information about system requirements, see the Kofax MarkView 10.2.0 Planning Guide and the Technical Specifications document on the Kofax MarkView Product Documentation website.

Applying this fix pack multiple times on the same system causes no harm. Also, fix packs are cumulative for a release, so Kofax expects you to apply the latest fix pack on top of any previously installed 10.2.0 fix packs.

This fix pack includes files that are staged on the application server and that require manual steps, which are included in the sections that follow.

Files Included

This fix pack includes the following files:

File name	Version
KofaxMarkView-10.2.0.5.zip	10.2.0.5
ReadMe-KofaxMarkView-10.2.0.5.htm	10.2.0.5

Install This Fix Pack

Use the following procedures to install the fix pack.

MarkView Application Server Installation (includes Database Components)

Only apply this fix pack to the MarkView 10.2.0 application server.

Before starting the following procedure, read this entire ReadMe file.

Silent Installation Preparation

If you used the silent installation method to install MarkView 10.2.0 and you plan to use the same method to install the fix pack, do the following:

Go to the distribution > conf folder.
Open the preliminary_interview.properties file.
Complete the properties file information, but leave the SelectedProducts.selected_products parameter blank.
Run the generateInterviewTemplate script to create or update the installer_interview.properties file.
Open the installer_interview.properties file.
Complete the properties file information according to the Kofax MarkView 10.2.0 Upgrade Guide.

Apply the Fix

Log in to the application server as the user who installed MarkView 10.2.0.
Ensure that the environment variables required for installing MarkView 10.2.0 are defined.
See the Kofax MarkView 10.2.0 Upgrade Guide for information about setting environment variables and about settings required to run the installer.
Locate the base MarkView directory where MarkView is installed. Use this pathname when prompted for the "Install Directory" during installation.
The base MarkView install directory includes the following files:
- target_registry.properties
- thirdparty.txt
Extract the KofaxMarkView-10.2.0.5.zip file into a new directory on the application server where MarkView 10.2.0 is installed.
Verify that the system is quiet to ensure that the data remains synchronized.
Log in to an SQL*Plus command window as the MarkView schema user.
Stop the currently running database user jobs by executing the breakDBJobs.sql script, which is included in the following MarkView 10.2.0 installation distribution directory:
<MARKVIEW-10.2.0-INSTALLER>/modules/installer-dist-10.2.0/installer-db
where <MARKVIEW-10.2.0-INSTALLER> is the base directory of the MarkView 10.2.0 installation distribution.
To run the installer, invoke the installation script in the bin directory of the fix pack distribution (install.bat|sh or install_silent.bat|sh).
See the Kofax MarkView 10.2 Upgrade Guide for information about running the installer.
The installer shows a list of all 10.2.0 fixes in the fix pack.
Provide answers to any unspecified values in the installer windows.
Use values that match those provided during version 10.2.0 installation.
(If available, use the installation worksheet that was completed for MarkView 10.2.0.)
Note: Install the fix pack in the same target directory specified for the MarkView 10.2.0 installation.
If you run the installer and see pre-populated information for the wrong environment, such as production URLs when running against a non-production environment, update the fields manually in the installation window.
If you install this fix pack on WildFly, do one of the following:
- For standalone mode:
  In the Enter App Server information for MarkView applications, leave the Domain field blank.
- For domain mode:
  In the Enter App Server information for MarkView applications, enter your domain name in the Domain field.
When the installation is completed, follow any on-screen instructions that appear in the installation summary window.
Restart the application server.
To ensure that all database objects are compiled successfully, follow the instructions in "Check for Invalid Packages" in the Kofax MarkView 10.2 Upgrade Guide.
Log in to an SQL*Plus command window as the MarkView schema user.
Start database user jobs by executing the startDBJobs.sql script found in the following MarkView 10.2.0 installation distribution directory:
<MARKVIEW-10.2.0-INSTALLER>/modules/installer-dist-10.2.0/installer-db
where <MARKVIEW-10.2.0-INSTALLER> is the base directory of the MarkView 10.2.0 installation distribution.
In a clustered environment, point to one server, then propagate to other nodes in the cluster using the appropriate process for your application server.
If you plan to install the Import Server or you have Import Server 10.2, verify that you clear the Verify Upload option on the Import tab of the MarkView Import Server Preferences window.

Capture and Output components for MarkView 10.2.0

The following Capture and Output components for MarkView were updated as part of 10.2.0.2 Fix Pack.
Skip configuring these components if you have them set up during MarkView 10.2.0 Fix Pack 2 installation:

MarkView Import Server:
To install or upgrade the MarkView Import Server, run the msi file from:
<MARKVIEW-INSTALL-DIR>/misc/10.2.0/MVImport/MVImport.Installer.msi
Configure MarkView Import Server on a machine with KTM installed.
MarkView Mail Gateway:
To install or upgrade the MarkView Mail Gateway, run the msi file from:
<MARKVIEW-INSTALL-DIR>/misc/10.2.0/MailService/sfMailService.Installer.msi
Configure MarkView Mail Gateway on a machine with KTM installed.

Skip this procedure if you have MarkView 10.2.0 Fix Pack 1 installed.
Perform the following steps to provide the required support only for the scenario where Capture and Output components for Kofax MarkView work with RDBMS 19c and at the same time run on Windows Server 2019:

Install the ODAC1931_x64;
Install the Oracle Database 19c Client (19.3) for Microsoft Windows (32-bit):
1. Run the installer.
2. Select the Custom installation type.
3. On the Available Product Components page, select the following components:
  Oracle ODBC Driver
  Oracle Provider for OLE DB
  Oracle Data Provider for .NET
4. Install the product.
Register the Oracle.DataAccess.dll in the GAC by running the following commands in the CMD (use 32-bit CMD):

cd <Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\4
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\4\Oracle.DataAccess.dll
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\4\Policy.4.112.Oracle.DataAccess.dll
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\4\Policy.4.121.Oracle.DataAccess.dll

cd <Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\4
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\4\Oracle.DataAccess.dll
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\4\Policy.4.112.Oracle.DataAccess.dll
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\4\Policy.4.121.Oracle.DataAccess.dll

cd <Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\2.x
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\2.x\Oracle.DataAccess.dll
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.102.Oracle.DataAccess.dll
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.111.Oracle.DataAccess.dll
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.112.Oracle.DataAccess.dll
OraProvCfg.exe /action:ungac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.121.Oracle.DataAccess.dll

cd <Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\2.x
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\bin\2.x\Oracle.DataAccess.dll
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.102.Oracle.DataAccess.dll
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.111.Oracle.DataAccess.dll
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.112.Oracle.DataAccess.dll
OraProvCfg.exe /action:gac /providerpath:<Oracle Database 19c Client (32-bit) installation directory>\odp.net\PublisherPolicy\2.x\Policy.2.121.Oracle.DataAccess.dll
To install or upgrade MarkView Bar Code Server, run the msi file from:
<MARKVIEW-INSTALL-DIR</misc/10.2.0/FIX14539/MVBarcodeServer.Installer.msi
Configure MarkView BarCode Server on a machine with KTM installed.

MarkView Post-Installation Steps

Oracle Forms Integration

Apply FIX18102

Starting from version 10.2.0.5, the fix pack contains FIX18102 for the folowing bug:
Bug 1908989: In mv_document table and other related MarkView tables, document_id values are too large for the column

If you already applied this fix, skip the steps.

To apply FIX18102:

Log in to the operating system where the Oracle ERP server is installed as the owner of the Oracle ERP system.
Copy the MVOAUTIL.pll file from:
<MARKVIEW-INSTALL-DIR>/misc/10.2.0/FIX18102
To:
$c_MARKVIEW_TOP/MVOA/6.1.0.0/libraries
where <MARKVIEW-INSTALL-DIR> is the base directory where MarkView is installed.
Back up the previous version of $c_MARKVIEW_TOP/MVOA/<version_number>/libraries/MVOAUTIL.plx.
Compile MVOAUTIL.pll into MVOAUTIL.plx using your valid connection string value:

frmcmp userid=apps/apps-pw@connectstring module=$c_MARKVIEW_TOP/MVOA/<version_number>/libraries/MVOAUTIL.pll module_type=LIBRARY compile_all=YES
Note: If you copy and paste from this file, remove any line breaks.
Back up the previous version of $AU_TOP/resource/MVOAUTIL.plx.
Copy the MVOAUTIL.plx file from:
$c_MARKVIEW_TOP/MVOA/<version_number>/libraries
To:
$AU_TOP/resource

Apply FIX16695

Starting from version 10.2.0.3 the fix pack contains FIX16695 for the following bug:
Bug 1734089: After applying Oracle patch for Log4j vulnerability, MarkView is negatively impacting core Oracle functionality
If you already applied this fix, skip the steps.

To apply FIX16695:

Log in to the operating system where the Oracle ERP server is installed as the owner of the Oracle ERP system.
Change the directory to <MARKVIEW-INSTALL-DIR>/misc/10.2.0/FIX16695:

cd <MARKVIEW-INSTALL-DIR>/misc/10.2.0/FIX16695
where <MARKVIEW-INSTALL-DIR> is the base directory where MarkView is installed.
Extract the files from mvoa_patch.zip archive into $JAVA_TOP directory:

unzip -o -d $JAVA_TOP mvoa_patch.zip
Change the directory to $JAVA_TOP:

cd $JAVA_TOP
Optionally, remove log4j classes from $JAVA_TOP if they exist:

rm -f log4j.jar log4j.properties
rm -rf org/apache/log4j
rmdir --ignore-fail-on-non-empty org/apache org
For Oracle EBS 12.2.x only:
1. Back up the previous version of $JAVA_TOP/customall.jar file.
2. Run adcgnjar utility to recreate and sign $JAVA_TOP/customall.jar file:
  
  adcgnjar
  (Enter APPS schema name and password when prompted.)
Restart the Oracle ERP system.

Apply FIX12715

Starting from version 10.2.0.1, the fix pack contains FIX12715 for the following bugs:
Bug 1530068: Update SFXWKFDR form to allow for longer user names
Bug 1530071: 170 Workflow Role Select form no data found error is raised when opening if user name greater than 30 characters
Bug 1530074: Update SFXPNDQS form to allow for longer user names
Bug 1530077: Update SFXRTINV form to allow for longer user names
If you do not experience any of these issues or if you already applied this fix, skip the steps. You may skip the steps for any form which you do not use.

To apply FIX12715:

Log in to the operating system where the Oracle ERP server is installed as the owner of the Oracle ERP system.
Copy SFXWKFDR.fmb, SFXURSEL.fmb, SFXPNDQS.fmb, SFXRTINV.fmb files from:
<MARKVIEW-INSTALL-DIR>/misc/10.2.0/FIX12715
To:
$c_MARKVIEW_TOP/MVOA/6.1.0.0/forms
where <MARKVIEW-INSTALL-DIR> is the base directory where MarkView is installed.
Back up the previous versions of $c_MARKVIEW_TOP/MVOA/6.1.0.0/forms/*.fmx files.
Important: Add the AU_TOP/forms/US path to the FORMS_PATH variable:

FORMS_PATH=$FORMS_PATH:$AU_TOP/forms/US
Note: If you skip this step, the forms may be still successfully compiled but they may not work correctly.
Compile SFXWKFDR.fmb into SFXWKFDR.fmx using your valid connection string value:

frmcmp userid=apps/apps-pw@connectstring module=$c_MARKVIEW_TOP/MVOA/6.1.0.0/forms/SFXWKFDR.fmb module_type=FORM compile_all=YES
Note: If you copy and paste from this file, remove any line breaks.
Compile SFXURSEL.fmb into SFXURSEL.fmx using your valid connection string value:

frmcmp userid=apps/apps-pw@connectstring module=$c_MARKVIEW_TOP/MVOA/6.1.0.0/forms/SFXURSEL.fmb module_type=FORM compile_all=YES
Note: If you copy and paste from this file, remove any line breaks.
Compile SFXPNDQS.fmb into SFXPNDQS.fmx using your valid connection string value:

frmcmp userid=apps/apps-pw@connectstring module=$c_MARKVIEW_TOP/MVOA/6.1.0.0/forms/SFXPNDQS.fmb module_type=FORM compile_all=YES
Note: If you copy and paste from this file, remove any line breaks.
Compile SFXRTINV.fmb into SFXRTINV.fmx using your valid connection string value:

frmcmp userid=apps/apps-pw@connectstring module=$c_MARKVIEW_TOP/MVOA/6.1.0.0/forms/SFXRTINV.fmb module_type=FORM compile_all=YES
Note: If you copy and paste from this file, remove any line breaks.
Back up the previous versions of $c_MARKVIEW_TOP/forms/US/*.fmx files.
Copy the compiled SFXWKFDR.fmx, SFXURSEL.fmx, SFXPNDQS.fmx, SFXRTINV.fmx forms from:
$c_MARKVIEW_TOP/MVOA/6.1.0.0/forms
To:
$c_MARKVIEW_TOP/forms/US

Apply FIX8627

Starting from version 10.2.0.1, the fix pack contains FIX8627 for the following bug:
Bug 1530080: Connector invoices and MOAC responsibility - When entering an OU into the invoice workbench in R12 and then clicking Get Next, an error message pops up saying 'FRM-402020: Field must be entered'
If you do not experience the same issue or if you already applied this fix, skip the steps.

To apply FIX8627:

Log in to the operating system where the Oracle ERP server is installed as the owner of the Oracle ERP system.
Copy the MVOAUTIL.pll file from:
<MARKVIEW-INSTALL-DIR>/misc/10.2.0/FIX8627
To:
$c_MARKVIEW_TOP/MVOA/6.1.0.0/libraries
where <MARKVIEW-INSTALL-DIR> is the base directory where MarkView is installed.
Back up the previous version of $c_MARKVIEW_TOP/MVOA/6.1.0.0/libraries/MVOAUTIL.plx.
Compile MVOAUTIL.pll into MVOAUTIL.plx using your valid connection string value:

frmcmp userid=apps/apps-pw@connectstring module=$c_MARKVIEW_TOP/MVOA/6.1.0.0/libraries/MVOAUTIL.pll module_type=LIBRARY compile_all=YES
Note: If you copy and paste from this file, remove any line breaks.
Back up the previous version of $AU_TOP/resource/MVOAUTIL.plx.
Copy the MVOAUTIL.plx file from:
$c_MARKVIEW_TOP/MVOA/6.1.0.0/libraries
To:
$AU_TOP/resource

WildFly and FileNet Only

If you are installing this fix pack on a WebLogic Application Server, or if you do not use the FileNet server, skip this section.

If you are installing this fix pack on a WildFly Application Server and you use the FileNet server, perform the following post-installation steps:

Back up $JBOSS_HOME/standalone/configuration/standalone.xml.
Open $JBOSS_HOME/standalone/configuration/standalone.xml and locate the following tag:
<subsystem xmlns="urn:jboss:domain:security:1.2">
Within <subsystem xmlns="urn:jboss:domain:security:1.2">, locate the <security-domains> tag and add the following strings:

<security-domain name="FileNetP8WSI" cache-type="default">
<authentication>
<login-module code="com.filenet.api.util.WSILoginModule" flag="required"/>
</authentication>
</security-domain>
Save the file and restart the WildFly Application Server.

Issues Resolved in This Fix Pack

FIX18102 addresses COD18102

Bug 1908989: In mv_document table and other related MarkView tables, document_id values were too large for the column

Summary of changes: Changed type for some fields from NUMBER(8) to NUMBER(11).

Impact of changes: No additional impact.

Patch testing: It has been verified by modifying document ID with valid and invalid values.

FIX17893 addresses COD17893

Bug 1901513: When using the latest version of Google Chrome and Microsoft Edge, the Viewer did not always show Quick Info

Summary of changes: When using the latest version of Google Chrome and Microsoft Edge, the Viewer now always shows Quick Info.

Impact of changes: No additional impact.

Patch testing: It has been verified by opening, reloading, refreshing and redirecting to the Quick Info section in different browsers.

FIX17824 addresses COD17824

Bug 1837361: Parameter checking added to improve security

Summary of changes: Added checking of incoming request parameters.

Impact of changes: No additional impact.

Patch testing: It has been verified by sending valid and invalid request input values. All invalid input values are filtered out.

FIX17822 addresses COD17822

Bug 1837347: Verification of incoming HTTP request and cookies attribute added to improve security

Summary of changes: Added verification of incoming HTTP request for validity Origin and Referer headers. Added SameSite cookies attribute for MarkViewCookie.

Impact of changes: No additional impact.

Patch testing: It has been verified by using links in mails from external mailboxess and buttons from Oracle EBS to MarkView.

Issues Resolved in Previous Fix Packs

Issues Resolved in Fix Pack 4

FIX17821 addresses COD17821

Bug 1837338: Security Issue: Reflected cross-site scripting (High)

Summary of changes: The second parameter is forced to be validated by checking against the whitelist of the supported rule names. Now it is impossible to enter a JS snippet to build it into the response page and pass it over to the user. If the ruleName parameter shows up with an invalid value, an error page opens.

Impact of changes: No additional impact.

Patch testing: It has been verified that it is impossible to enter a JavaScript snippet to build it into the response page and pass it over to the user.

FIX17820 addresses COD17820

Bug 1837327: Security Issue: Blind SQL injection (High)

Summary of changes: As per the security recommendations, the input is validated and all invalid request input values are filtered out and not used in the underlying SQL queries.

Impact of changes: No additional impact.

Patch testing: It has been verified that all invalid request input values are filtered out and not used in the underlying SQL queries.

Issues Resolved in Fix Pack 3

FIX16837 addresses COD16837: "mvap_ipa_pkg.RefreshPOTables" dbms job converted to Scheduler job

Bug 1515464: Need to convert the "mvap_ipa_pkg.RefreshPOTables" dbms job to Scheduler job

Summary of changes: Changed the job creation script.

Impact of changes: No additional impact.

Patch testing: MVAP_REFRESH_IPA_PO_TABLES_JOB is present in Scheduler > Jobs and absent in Scheduler > DBMS jobs.
If the MVAP_APA_ENABLE_INTEGRATION preference is set to false, the MVAP_IPA_PO_HEADER and MVAP_IPA_PO_LINES tables are empty.
If the MVAP_APA_ENABLE_INTEGRATION preference is set to true, the MVAP_IPA_PO_HEADER and MVAP_IPA_PO_LINES tables are filled in with data.

FIX16695 addresses COD16695: MarkView classes in EBS JAVA_TOP do not directly depend on log4j library

Bug 1734089: After applying Oracle patch for Log4j vulnerability, MarkView is negatively impacting core Oracle functionality

Summary of changes: Changed MVFrameworkUtils.class and added Logger.class not to directly depend on the log4j library.

Impact of changes: No additional impact.

Patch testing: The impacted Oracle pages (Suppliers, Expenses) are opened without errors even if log4j classes are not on the EBS class path.

FIX16614 addresses COD16614: AUSS synchronization performance was improved

Bug 1734105: AUSS experiencing major performance issues with synchronization

Summary of changes: Updated several sql requests that impacted AUSS synchronization performance.

Impact of changes: No additional impact.

Patch testing: The AUSS synchronization (including first-time sync, all SS groups sync, force full sync, and one user sync) now takes much less time than earlier.

FIX16421 addresses COD16421: No errors when approving an invoice via MarkView Mobile link

Bug 1700396: Errors When Approving An Invoice Via MarkView Mobile Link

Summary of changes: Clearing messages at the end of the session.

Impact of changes: No additional impact.

Patch testing: No errors occur when approving an invoice via MarkView Mobile link.

FIX16326 addresses COD16326: Viewer displays all layers of certain PDF files ingested via Import Server

Bug 1775786: Viewer Does Not Display All Layers of Certain PDF Files Ingested via Import Server

Summary of changes: Added library for processing images with the JBIG compression.

Impact of changes: No additional impact.

Patch testing: Attached PDF files ingested via Import Server render correctly in MarkView.
Also, the regression testing was performed: TIFF and PDF files ingested via Import Server render correctly in MarkView.

FIX16125 addresses COD16125: Date of Expenditure now uses the UTC time

Bug 1447254: The wrong time is saved in the Date of Expenditure field

Summary of changes: Date of Expenditure is transformed from local time to the UTC format.

Impact of changes: No additional impact.

Patch testing:

Lines are added/edited/deleted and saved correctly without Date of Expenditure (when project fields are absent).
Date of Expenditure is added/edited/deleted and saved correctly and сorresponds to the value in Oracle.

The Line and Date of Expenditure behavior in Markview 10.2.0.5 is the same as in Markview 10.0.0.8.

FIX15464 addresses COD15464: Unexpected server error on User Profile update was resolved

Bug 1698723: 500 Internal Server error trying to update or create user record (Also typo 'comor' is being added to url in referrer)

Summary of changes: Added new filter to verify Origin/Referer http headers for the configured request. The previous fix for Bug 1501730 was removed as it was incorrect and caused a lot of issues.

Impact of changes: No additional impact.

Patch testing: A user can be created/deleted and the User Profile settings can be changed/saved on all supported browsers without any issues (FireFox 97.0, IE11, Google Chrome 98.0.4758.102).

FIX151255 addresses COD15255: It is possible to add lines if the preference MVERP_DFM_DEFAULT_AMOUNT is set to FALSE

Bug 1617511: After setting the preference MVERP_DFM_DEFAULT_AMOUNT to FALSE you can no longer add lines in the viewer

Summary of changes: If default amount settings are not set, the default amount is 0, not undefined.

Impact of changes: No additional impact.

Patch testing: Now a user can successfully add lines in MarkView Viewer when the preference MVERP_DFM_DEFAULT_AMOUNT is set to FALSE.

FIX14859 addresses COD14859: Specifying the dependency for core-apps.ear (JBoss)

Bug 1599476: JBoss failing to start deployments after 10.1.0.3 is applied in SAML environment

Summary of changes: Adding jboss-all.xml with the dependency on core-apps.ear/META_INF.

Impact of changes: No additional impact.

Patch testing: No errors occur after restarting Jboss EAP7.2 several times. Also, META-INF/jboss-all.xml exists in /projects/mvhome/markview/applications/core-apps.ear with the following contents:

FIX14578 addresses FIX14578: Passing Distribution Flexfield data to the procedure that derives Invoice Account for Project data

Bug 1564109: Encountering an issue when coding an invoice with NON billable project coding

Summary of changes: Passed Distribution Flexfield data into the Oracle pa_acc_gen_wf_pkg.ap_inv_generate_account.

Impact of changes: No additional impact.

Patch testing: Checked the proposed scenario and related areas.

Issues Resolved in Fix Pack 2

FIX15259 addresses COD15259: Customer has an option for MarkView Viewer to disable Delete and Edit for distribution lines

Bug 1632114: Customer would like to have an option for MarkView Viewer to disable the delete (and edit) for distribution lines

Summary of changes: A new preference VIEWER_DISABLE_DISTRIBUTION_ACTION was added. If the preference is set to TRUE, then edit, delete, and copy actions will be disabled for distributions in MarkView Viewer.

Impact of changes: No additional impact.

Patch testing: When the MarkView preference is set to TRUE on the system or user level, then Delete, Edit, and Copy buttons are disabled for distribution lines.

FIX15113 addresses COD15113: Several security vulnerability issues are resolved

Bug 1604438: Security Assessment - Cross-Site Scripting (XSS): Persistent (527049)

Bug 1604440: Security Assessment - Privilege Escalation - Prev Entered Working Folder (527132)

Bug 1604447: Security Assessment - Privilege Escalation (527133, 527134)

Bug 1604453: Security Assessment - Cross Site Request Forgery (527036)

Summary of changes:

A prevention mechanism is added to avoid malicious submission of the Unassign Alternate User form.
Verification of the user privileges is added for the Previously Entered Invoices page.
The 'IsAuthorized' flag is reset to FALSE in the GET_SECURITY joint points for APINVOICE and MVAP_RPT_SUPPLIER_WO_ATTACH inquires to disable access to these inquires for users who are not allowed to have the respective menu items.
Ensured that encoding of AUSS field values is not interpreted by the Sencha framework as part of the HTML code.

Impact of changes: No additional impact.

Patch testing: The following features have been verified:

A session-unique identifier was added to the unassign alternate user request to prevent cross-site request forgery.
Users not assigned to the MODULE ADMINISTRATOR, WEB INQUIRY, INTERACTIVE QUERIES, or MARKVIEW WEB ADMINISTRATOR groups have no access to the "AP Invoices" and "Suppliers with no MarkView Attachment During the Specified Period" inquires.
Users not included in the MODULE ADMINISTRATOR or PREVIOUSLY ENTERED INVOICES groups cannot open Previously Entered Working Folder.
HTML encoding is enabled on AUSS pages to avoid a potential user input execution.

FIX14860 addresses COD14860: Markup Viewer Tool/Action icons are displayed in the Viewer

Bug 1589960: Markup Viewer Tool/Action Icons not displayed in the Viewer

Summary of changes: Now the Viewer model includes base64 encoded EOT Kofax-Action-Icons font.

Impact of changes: No additional impact.

Patch testing: All icons are successfully displayed in MarkView Viewer when using a newly added font file with the Internet Explorer 11 browser.
Regression testing was performed for the Google Chrome and Microsoft Edge browsers.

FIX14857 addresses COD14857: PLSQL code does not update the creation_timestamp value in the mv_document table after it was initially set

Bug 1587250: The page needs to be refreshed because user updated the page error caused by mv_document.creation_timestamp updated to batch creation local time

Summary of changes: PLSQL code does not update the creation_timestamp value in the mv_document table after it was initially set.

Impact of changes: No additional impact.

Patch testing: Batch creation local time no longer updates the document creation timestamp.

FIX14849 addresses COD14849: When adding project details for an invoice line in MarkView, the ap_invoice_distributions_all.PA_ADDITION_FLAG flag in Oracle is set correctly

Bug 1586839: When adding project details for an invoice line in MarkView, the ap_invoice_distributions_all.PA_ADDITION_FLAG flag in Oracle is not set correctly

Summary of changes: "pa_addition_flag" is set to the correct value in the MarkView code.

Impact of changes: No additional impact.

Patch testing: The ap_invoice_distributions_all.PA_ADDITION_FLAG flag in Oracle is now set correctly when a user adds project details for an invoice line in MarkView.

FIX14841 addresses COD14841: Unnecessary Project blind queries on requesting ACD Project fields are eliminated

Bug 1585959: End Users Who Click in Exp Type field without first entering a value in Project field cause a blind query

Summary of changes: Unnecessary Project blind queries upon requesting ACD Project fields were eliminated.

Impact of changes: No additional impact.

Patch testing: No blind query is sent when a user clicks other project fields without filling in the "Project" field first.

FIX14823 addresses COD14823: The Import Server successfully imports PDF files with embedded images or signed with Docusign

Bug 1584334: Import Server fails to import PDFs with embedded images or signed with Docusign

Summary of changes: Implemented a repair for PDF files with errors.

Impact of changes: No additional impact.

Patch testing: The Import Server successfully imports PDF files from the customer.
Regression testing of the Import Server was also provided.

FIX14736 addresses COD14736: Auto escalations work under all conditions

Bug 1580973: Auto escalations not working due to error ORA-01722: invalid number

Summary of changes: Query predicate is updated to use to_char instead of problematic to_number.

Impact of changes: No additional impact.

Patch testing: No errors occur after running automatic escalations.

FIX14563 addresses COD14563: Some document loading delay is eliminated

Bug 1580935: User who is not owner experiences long delays opening document in viewer when workitem has had many actions / transitions

Summary of changes: Improved the performance of an SQL request for calculating document tools rights.

Impact of changes: No additional impact.

Patch testing: No performance problems occur when a user who is not an owner opens a document with numerous actions.

FIX13443 addresses COD13443: TLS 1.2 support for MailGateway is enabled

Bug 1588877: Enable TLS 1.2 support for MailGateway

Summary of changes: Third-party email library is replaced with Aspose Email for .NET, which supports TLS 1.2.

Impact of changes: No additional impact.

Patch testing: It has been verified that:
TLS1.2 is supported for MailGateway.
Smoke testing has been performed and the following features have been verified:

Approve/Reject action works correctly on the IMAP, POP3, and SMTP servers both with or without SSL on a proper address with proper credentials and with TLS and TLS1.2.
Approve/Reject action also works correctly with IMAP servers using different mailboxes, both with and without authentication, and with different preferred formats.
Connection has been tested for different servers.
New logging has been verified for the Outbound and Inbound service.
Regression testing has been performed: Approve/Reject action works correctly with TLS1.2 and IMAP with authentication.

Issues Resolved in Fix Pack 1

FIX14688 addresses FR14688: The possibility to copy information in Viewer was returned

Bug 1540323: MarkView users could not copy information from tables in Viewer

Summary of changes: The possibility to copy from main tables on the left side was added in MarkView Viewer.

Patch testing: It has been verified that a line or lines in all tables in the Viewer, including the Additional Details window, can be copied to clipboard. The functionality has been verified in all supported browsers (IE11, Chrome, FireFox, Edge).

FIX14663 addresses COD14663: The Configure Accounting Aliases window shows previously added aliases

Bug 1567232: Added aliases were not displayed in the table in the Configure Accounting Aliases window

Summary of changes: The SQL request was updated to support Oracle Database 11g.

Impact of changes: No additional impact.

Patch testing: It has been verified that now a user can see all the aliases added in the table in the Configure Accounting Aliases window.

FIX14650 addresses COD14650: Import Server: log4net.dll was updated to the 2.0.12.0 version to remove the vulnerabilities

Bug 1488622: The log4net library included vulnerabilities

Summary of changes: log4net.dll was updated (for Import Server).

Impact of changes: No additional impact.

Patch testing: It has been verified that the Import Server is installed and operates properly; the file log4net.dll has the correct version.

FIX14634 addresses COD14634: Coding GL Accounts using Project fields was restored

Bug 1567860: Account coding - could not code using project details in MarkView Viewer

Summary of changes: Calculating GL Account for items with Project fields was restored.

Impact of changes: No additional impact.

Patch testing: It has been verified that after entering/changing Project fields and saving a line/distribution, GL Account field is filled with the Project calculated account.

FIX14613 addresses FR14613: The dependency on Oracle Java Advanced Imaging (JAI) was eliminated

Bug 1559297: The dependency on Oracle Java Advanced Imaging (JAI) was to be eliminated

Summary of changes: Oracle Java Advanced Imaging (JAI) was changed to the Twelvemonkeys library.

Patch testing: It has been verified that MarkView can function without using JAI.
Regression testing in scope of image importing, loading and displaying for images with different resolution has been provided, including performance testing.

FIX14539 addresses COD14539: C&O: Support for RDBMS 19c (19.3) and Windows 2019 was added

Bug 1559632: C&O: Support for RDBMS 19c (19.3) and Windows 2019 was to be added

Summary of changes: The support for RDBMS 19c and Windows 2019 was added to MarkView Mail Gateway and Kofax MarkView Bar Code Server.

Impact of changes: No additional impact.

Patch testing: It has been verified that Capture and Output components installed on Windows 2019 connect to RDBMS 19c and work correctly.

FIX13502 addresses COD13502: Now you can upgrade to MarkView 10.2 without breaking packages MV_ADMIN_EXP_SERVER and MV_ADMIN_EXP_QUEUE, even if your environment does not have Document Library

Bug 1556527: Upgrading to MarkView 10.2 in an environment without Document Library resulted in broken packages MV_ADMIN_EXP_SERVER and MV_ADMIN_EXP_QUEUE

Summary of changes: Using functions from Document Library packages was removed.

Impact of changes: No additional impact.

Patch testing: It has been verified that there are no invalid packages in the environment that do not include Document Library.

FIX13433 addresses COD13433: Now MV Home can be reached in the Chrome browser

Bug 1553594: Opening MV Home in the Chrome browser caused an error due to unacceptable characters in the input

Summary of changes: Now request header parameters can be wrapped with double quotes.

Impact of changes: No additional impact.

Patch testing: Using Chrome, tried to reach the MarkView Home URL.

FIX13428 addresses COD13428: DFM User accounts are now ordered by most frequently or most recently used

Bug 1553592: GL Accounts could not be ordered by frequently or recently used

Summary of changes: The default sorting by the "Account" field for the GL Account list has been removed.

Impact of changes: No additional impact.

Patch testing: It has been verified that DFM User Frequent Accounts are now ordered by most frequently or most recently used GL Account codes by default.

FIX13352 addresses COD13352: The Alternate User functionality was improved

Bug 1545503: When a user had an alternate user and then their work items were reassigned to a third user, that user could not save accounting line data after editing

Summary of changes: The Alternate User functionality was improved; the "Reassign Document" action was updated to handle cases with Alternate Users.

Impact of changes: No additional impact.

Patch testing: It has been verified that invoices assigned to an alternate user and then reassigned are still successfully coded and distributed by the user they were reassigned to.

FIX13146 addresses COD13146: The AUSS performance issue was resolved

Bug 1530143: AUSS was running slowly

Summary of changes: The incorrect changes were reverted back.

Impact of changes: no additional impact.

Patch testing: Regression testing was performed.

FIX13082 addresses COD13082: A new preference allows selecting the statuses of receipt that should be shown in the MVAP_RECEIPTS_MV table

Bug 1538782: KTM Validation screen 'Match Receipt Lines' was showing the Fully Invoiced Releases

Summary of changes: A new preference MVERP_RECEIPTS_FILTER_CONDITION was added.
It contains a boolean expression to filter the list of receipt lines in the MVAP_RECEIPTS_MV table returned by the MVERP_RECEIPTS.RefreshReceiptsTable procedure. The preference is limited by 2000 characters.
The following set of predefined fields can be used in the expression: po_number, po_header_id, line_num, po_release_num, material_doc_num, material_doc_line_num, material_doc_year, movement_type, posting_date, document_date, material_number, description, quantity, unit_of_measure, receipt_total, delivery_note, bill_of_lading, ses_num, ses_line_num, invoicing_status.
By default, the preference value is empty.
For example, if you want to additionally exclude any OVER INVOICED and FULLY INVOICED receipts lines from the result set, you can use the following value: "INVOICING_STATUS not in ('FULLY INVOICED','OVER INVOICED')".

Impact of changes: No additional impact.

Patch testing: It has been verified that:

A new preference MVERP_RECEIPTS_FILTER_CONDITION was added and works correctly;
The performance of the MVAP_RECEIPTS_MV table has not significantly decreased.

FIX13080 addresses COD13080: KTM Validation screen 'Match Receipt Lines' is not showing 'CLOSED' releases any more

Bug 1538778: KTM Validation screen 'Match Receipt Lines' was showing 'CLOSED' releases

Summary of changes: The SQL query was changed to get the list of receipts without receipts for 'CLOSED' releases.

Impact of changes: No additional impact.

Patch testing: It has been verified that closed releases of a blanket PO have become unavailable for matching in KTM.

FIX12963 addresses COD12963: An error handling vulnerability was resolved

Bug 1530138: An error handling vulnerability was detected

Summary of changes: The HTTP response was changed to hide private data.

Impact of changes: No additional impact.

Patch testing: It has been verified that the HTTP responses do not disclose private data.

FIX12962 addresses COD12962: jQuery libraries were updated to the 3.5.0 version

Bug 1530135: The jQuery library included vulnerabilities

Summary of changes: All jQuery libraries were updated to the 3.5.0 version.

Impact of changes: No additional impact.

Patch testing: Regression testing of the following modules was passed: SSI, Invoice Audit, Mobile, Migration Utility, Authentication Configuration, Print from Viewer.

FIX12884 addresses COD12884: Users with LOCALE_de group assigned can assign an alternate user

Bug 1530084: Users with the LOCALE_de group assigned could not assign an alternate user

Summary of changes: UserID parameter was added to the standard header script for legacy UI generated in pl/sql - MVT_Web_Display_JS.DataValidation. Dates are validated considering the current user locale.

Impact of changes: No additional impact.

Patch testing: It has been verified that now a user with any locale can complete an alternate user assignment.
Also regression testing in scope of date validation in forms for Interactive Queries, Web Inquiry, SSI, Doc Library was provided with the German locale.

FIX12836 addresses COD12836: SAML was configured to use the Sha-256 algorithm instead of Sha-1

Bug 1530087: Support for SAML using SHA256 was to be added

Summary of changes: SAML was configured to use the Sha-256 algorithm.

Impact of changes: No additional impact.

Patch testing: It has been verified that the SAML still works in a local environment.

FIX12715 addresses COD12715: 170 Workflow forms now allow user names greater than 30 characters

Bug 1530068: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the SFXWKFDR form in Oracle Apps as that user

Bug 1530071: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the Workflow Role Select form in Oracle Apps as that user

Bug 1530074: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the SFXPNDQS form in Oracle Apps as that user

Bug 1530077: Oracle user names (USER_ID) longer than 30 characters resulted in error when opening the SFXRTINV form in Oracle Apps as that user

Summary of changes: Enlarged user name limit for 170 Workflow forms to 150 characters.

Impact of changes: No additional impact.

Patch testing: It has been verified that Working Folder, Pending, Role Select, and Returned Invoices work fine with big user names.

FIX10910 addresses COD10910: R12 Tax Field - MV Tax Regime LOV values are similar to Oracle LOV values

Bug 1547577: R12 Tax Field - MV Tax Regime LOV values were not similar to Oracle LOV values

Summary of changes: A new preference MVOA_ENABLE_TAXATION_COUNTRY_FILTER is created to control Taxation Country filtering with the default value set to TRUE.
If it is FALSE, Tax Regimes are not filtered by country code.

Impact of changes: No additional impact.

Patch testing: It has been verified, that the MVOA_ENABLE_TAXATION_COUNTRY_FILTER preference was added and works correctly:

if the MVOA_ENABLE_TAXATION_COUNTRY_FILTER = true (by default), Tax Regime LOV in MarkView is the same as it is on the Lines Tab and is filtered by Country Code;
if the MVOA_ENABLE_TAXATION_COUNTRY_FILTER = false, Tax Regime LOV in MarkView is the same as in Tax Details (a button below the list of lines) and is not filtered by Country Code;
Tax Jurisdictions LOV corresponds to Tax Regime and also depends on the MVOA_ENABLE_TAXATION_COUNTRY_FILTER.

FIX9760 addresses COD9760: Invoices with 'Misc Costs' in their amount are now processed properly

Bug 1538736: Invoices with 'Misc Costs' in their amount after the queue 'Waiting for Interface Processing' got stuck in 'Interface Processing Error'

Summary of changes: Dummy lines are deleted before validation to avoid double validation of dummy lines.

Impact of changes: No additional impact.

Patch testing: It has been verified that invoices with dummy lines after "Waiting for receipt" queue are validated correctly.
Smoke testing for KC/KTM was also provided: Several invoices of different types were imported from KTM to MarkView.

FIX8627 addresses COD8627: OU's are now entered the invoice workbench in R12 properly

Bug 1530080: When entering an OU into the invoice workbench in R12, after clicking Get Next an error was thrown

Summary of changes: MVOAUTIL library was updated to eliminate the error.

Impact of changes: No additional impact.

Patch testing: It has been verified that the Invoice workbench Get Next action loads the next invoice image and data correctly in case Multi-Org Access Control is enabled.