Here's what's new with the Perspectium products 
ServiceNow GlideEncrypter API Deprecation
Click here for more information on our plans with the Perspectium Core application as ServiceNow deprecates the GlideEncrypter API.
Spring Framework Vulnerability Issue
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit.
This vulnerability does NOT impact our current DataSync Agent and the variety of Meshlets we offer.
In our DataSync Agent, we don't explicitly include spring-webmvc or spring-webflux as a dependency, but it does come with the spring-webflux and spring-webmvc jars and both are versions 5.3.7. This is due to other Spring libraries we include that in turn include the spring-webmvc and spring-webflux libraries. As a result, these libraries are included when we build our official releases of the Agent.
In addition, our Agent is not packaged as a WAR nor does it run Tomcat as the Servlet container so it isn't able to be exploited per above. It is run as its own executable jar.
The same applies for our Meshlets as they are run as a Spring Boot executable jar so they can't be exploited per the above either.
Log4j Vulnerability Issue
A solution is now available to help with the vulnerability issue found in the Log4j library. This solution is one of the recommended remediations made by the Apache team. The fix is accomplished by removing the impacted class (JndiLookup.class) and rebuilding the jar file. This is the most expeditious approach to getting a reliable and safe solution. The other common approach of updating to the 2.16.0 version of the jar file requires significantly more time to rebuild and fully test. This will be done in the next planned maintenance release, Iodine 7.0.1.
The patched jar file with the solution applied can be downloaded here: https://depot.perspectium.com/downloads/agents/log4j-hotfix-873419825/log4j-core-2.8.2.jar
Supported versions for this patch are Dubnium and any newer version (Dubnium, Europium, Fluorine, etc).
Instructions for deploying the patch:
Stop the agent (verify the java process has stopped)
Remove the existing log4j-core-2.8.2.jar file from [agent directory]/jars. We recommend you move this file a location away from the agent, and rename it so that is known to be a bad version (e.g. log4j-core-2.8.2.jar.BAD). It is important that this file is not in the jars directory or any of its subdirectories.
Copy the patched jar file you downloaded to the jars directory. [agent directory]/jars.
Verify you have the correct version of the patched jar file. From the command line type: “jar -tf [agent directory]/jars/log4j-core-2.8.2.jar”. This will display the contents (all of the java classes) contained within the jar file. Verify that the “JndiLookup.class” is not listed in the jar file.
Start the agent
Verify the perspectium.log file ( [agent directory]/logs/perspectium.log ) is populating correctly. You should see log entries with the current date/time.
ServiceNow Slow Queries Flow Issue
If you are upgrading to Paris Patch 8 or Quebec Patch 3 and using Flow with Dynamic Shares, you may experience a slow queries issue affecting your instance's performance. This is due to a regression issue with UI actions that interact with the sys_flow_plan_context_binding table.
To resolve this issue, see ServiceNow Support's KB0960538 where a workaround is provided.
ServiceNow Quebec GlideEncrypter issue
In ServiceNow instances with Quebec, obfuscated fields values such as passwords are altered due to issues with GlideEncrypter. This issue will occur for all versions of the Perspectium application for ServiceNow.
ServiceNow has an open problem (PRB1480906) in their system for this issue. If your ServiceNow instance has this issue, contact ServiceNow Support to re-install the Key Management Framework (KMF) plugin after upgrading to Quebec.