New in this release

Last Updated : Jun 05, 2026 |

Avaya Experience Portal R 8.1.2 Service Pack 3 includes the following changes:

Platform Updates

Experience Portal platform has undergone significant upgrades to enhance performance, stability, and security:

  • JDK: Upgraded to Azul Zulu OpenJDK 17.0.14 for enhanced security and LTS support.

Security Updates

New security measures for Experience Portal are:

  • Apache Tomcat: Upgraded to 9.0.106 to resolve the security vulnerability - CVE-2025-31651. Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.

  • PostgreSQL: Upgraded to 17.4 to resolve below security vulnerabilities:

    • CVE-2024-10979 - Incorrect control of environment variables in PostgreSQL PL/Perl

    • CVE-2024-10977 - PostgreSQL libpq retains an error message from man-in-the-middle

  • ActiveMQ: Upgraded to 6.1.6 to resolve below security vulnerabilities:

    • CVE-2024-38819: Spring Framework functional endpoints vulnerable to path traversal allowing file access.

    • CVE-2022-22970: DoS vulnerability in Spring due to multipart file upload data binding.

    • CVE-2022-22971: DoS issue in Spring multipart handling like CVE-2022-22970.

    • CVE-2022-22950: DoS via crafted Spring Expression Language (SpEL) expressions.

  • Content-Security-Policy (CSP) headers: Added Content-Security-Policy headers in AEP with unsafe inline option for stronger protection against cross-site scripting (XSS) and code injection attacks.

  • X-XSS-Protection header: Disabled the X-XSS-Protection header, as Content-Security-Policy (CSP) now provides a more robust and modern alternative.

  • Missing role-based access restrictions: Added Missing-role-based access restrictions to Experience Portal for proper permission enforcement upon user role changes.

  • TLS v1.3: Supported for secure communication across key components such as Primary/Aux EPM, MPP, Application Server, Avaya SM, ASR/TTS Speech Server, Nuance and Google cloud servers, and POM.

  • SRTP sips Requirement Update: The mandatory sips requirement for SRTP (Secure Real-time Transport Protocol) is removed and is now a configurable option. SRTP encryption headings can be added if URI Scheme is set to SIP and TEL.

Vulnerability Remediation

Addressed critical vulnerabilities identified through Coverity and Black Duck scans.

For changes in previous releases, see Changes in earlier releases.