HCL Commerce 9.1.14.1
Fix packs
HCL Commerce fix packs for Elasticsearch functionality will be made available between major releases, starting with 9.1.13.1, to provide important search-related updates. It is recommend to upgrade to the latest fix pack as it becomes available. Only certain images within the release are updated for fix pack releases. These updated containers, with modified fix pack file names, are intended to be used with the remaining original containers of the same release.
| Release | Date | Updated containers |
|---|---|---|
| HCL Commerce 9.1.14.1 | October 25, 2023 |
|
| HCL Commerce 9.1.14.0 | September 19, 2023 | Full release. |
For a full list of the release files and their associated MD5 checksum values, see HCL Commerce eAssemblies.
Security updates
| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server and IBM Java SDK | CVE-2022-40609, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-35890, CVE-2023-22, CVE-2023-22049045, CVE-2023-22049 | Multiple vulnerabilities in IBM WebSphere Application Server and IBM Java SDK affect HCL Commerce |
| Apache Lucene | WS-2021-0646 | A vulnerability in Apache Lucene affects HCL Commerce with Elasticsearch |
| HCL Commerce | CVE-2023-37532 | A path traversal vulnerability affects HCL Commerce |
Important changes
HCL Commerce 9.1.14.1 contains the following important changes to site features and functionality.
- Before upgrading your deployment to HCL Commerce 9.1.14.0, you must consider the implications of the non-root user update. Not doing so can break your deployment. For more information, see HCL Commerce container users and privileges.
- After upgrading to HCL Commerce 9.1.14.0 with the
Elasticsearch-based search solution, you must delete any existing boost
scripts.
- Run the following REST API calls to delete any existing
scripts.
DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-1 DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-2 DELETE - http://ESHOST:ESPORT/_scripts/boost-script-param-3Note: you can use the GET request method to check for existing scripts. - Restart the Query service to re-generate the appropriate boot scripts for this release.
- Run the following REST API calls to delete any existing
scripts.
- Management Center for HCL Commerce in all releases 9.1.12.0
and greater now report business user analytics to HCL. This information
assists HCL in the development of new features and the enhancement of
existing business user tools.Note: Only high level business user behaviors in new tools within Management Center are collected. No sensitive information about the user or the organization that owns the environment is captured or transmitted to HCL. Specifically, the URLs of the pages that business users access are logged. Event data such as the version of HCL Commerce and the deployment type, as well as generic information about the browser, are also collected. Google Analytics also captures general location information, if users have opted-in through their browser settings.Important: When starting the Tooling Web Docker container in versions 9.1.12.0 through 9.1.14.0, you must set the container deployment type. Failure to do so will prevent the container from starting. Ensure that you set the deployment type via the DEPLOYMENT_TYPE container environment variable, or in Vault at the following path
${VAULT_URL}/${TENANT}/${ENVIRONMENT}/deploymentType. Accepted values are development, staging, or production.The collection of this data can be disabled during deployment. For more information on disabling this data collection, see the following steps in the deployment documentation: - Upgrading to HCL Commerce 9.1.14.1 with a social network OAuth 2.0 login integration that was configured prior to 9.1.7.0 requires changes to be made for the integration to continue working. No action will result in the integration ceasing to function.
- From
HCL Commerce version 9.1.10.0 onwards, Spring is upgraded from version
4.x to version 5.x. You must update your
existing spring-extension.xml Spring configuration file with the
supportedMethodsproperty and the associated values ofGETandPOST.For example:<bean id="/GetRootManagedDirectory" class="org.springframework.web.servlet.mvc.ParameterizableViewController"> <property name="viewName" value="/jsp/commerce/attachment/restricted/GetRootManagedDirectory.jsp"/> <property name="supportedMethods" value="GET,POST"/> </bean>
Feature enhancements
The following features have been introduced in this release. Review the following list to ensure that your site is prepared once this update is applied.
Indicates enhancements
inspired by or created by customers and partners, and submitted through the
HCL Commerce | Product Portal. Sign up to vote and submit
your own ideas!
- Deployment
-
- Non-root user introduction
- A non-root user is introduced as the default user across all
HCL Commerce containers that were using the root
user. This enhancement allows for increased compliance and
better conformity with industry security best practices. The use
of the root user remains available for customers with existing
requirements.Restriction: Upgrading Power-based environments to non-root containers is currently not supported. New deployments are supported.Learn more...
- CentOS operating system migration
- The CentOS Linux operating system image that has been used
within the various HCL Commerce application Docker
containers has been migrated to the Red Hat Universal Base Image
(UBI) 8. This upgrade strips the Linux operating system to its
bare essentials, offering benefits such as improved performance,
stability, security, and streamlined support when it comes to
underlying operating system issues. CentOS Linux 7 will reach
end-of-life (EOL) on June 30, 2024.
- The NodeJS and GraphQL containers use the UBI minimal image.
- All remaining containers use the UBI standard image.
Learn more...Note: UBI uses the DNF (Dandified YUM) package manager, as opposed to the YUM package manager previously used in CentOS. - Hystrix disabled by default
- Hystrix, a latency and fault tolerance technology that was previously used on the Store server, has been deprecated, and disabled by default. The technology is no longer maintained by its developers and it was recommended to be disabled in previous releases of HCL Commerce.
- Search
-
- Basic and Advanced Natural Language Processing (NLP)
- HCL Commerce uses the full suite of CoreNLP Natural Language Processing features for a comprehensive set of default languages. If you add languages beyond this default set, the extra languages are evaluated by a Basic NLP module. This fallback processing mechanism gives you most of the advantages of full NLP without using CoreNLP.
- Store
-
- Next.js B2B store
-
Next.js store application is enabled for B2B e-commerce. The sample B2B storefront is called Ruby B2B. The B2B Next.js store features include B2B features, in addition to all of the available features in the B2C storefront, with the exception of guest-user shopping flows.
Next.js store application has been moved out of the preview stage.
- Tools
-
- Google Analytics enhancements
- Google Analytics upgraded to provide GA4 support to the Ruby store.
- Active Catalog Filter
- Management Center now allows you to view, add, remove, and replace the active catalog filter in the Catalog and Pricing tool.
- TinyMCE Editor
- From version 9.1.14 onwards, Management Center for HCL Commerce has replaced CKEditor with TinyMCE editor version 6 and is available by default.
- SAS Support for the Page Composer tool
- From HCL Commerce version 9.1.14.0 onwards, the Storefront Asset Store support is enabled by default.
- Security
-
- XML Parser Enhancement
- Security enhancements are made around XML processing of inbound web services that use the Program Adapter and WCS.INTEGRATION message mapper. The new feature offers a more flexible way to validate inbound requests and prevent users from accessing remote resources hosted by untrusted sites.
Defect fixes
See HCL Commerce 9.1.14.0, and HCL Commerce 9.1.14.1 in Fixes that are included in HCL Commerce releases for a detailed list of defects that were fixed in this release and its associated fix pack.
Supported companion software
| Commerce | Companion software | Database | Browsers |
|---|---|---|---|
| HCL Commerce Version 9.1.14.0 |
|
|
|
7.17.10
7.17.10