13 Posts getaggt mit "2023.2"

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis and the available information, the relevant vulnerability CVE-2024-38828 does not affect INFOMOTION Data Management Center.

The vulnerable components of Spring Framework ("Spring MVC controller methods with an @RequestBody byte[] method parameter") are not used by our application.

If you have further questions, please create a DMC support ticket via eMail.

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

It describes a new vulnerability, similar to CVE-2024-38816 which we have previously reported on.

Based on our analysis, this new vulnerability CVE-2024-38819 does not affect INFOMOTION Data Management Center, since our application does not use the vulnerable "functional" components of Spring Framework.

If you have further questions, please create a DMC support ticket via eMail.

Bugfixes​

• Avoid potential deadlocks when deleting many cached objects at once...
• Avoid various (transient) error messages when deleting many tables at once
• Fix NG0100 'changed after checked' frontend error in certain conditions

Improvements​

• Frontend improvements for long-running operations (delete multiple tables, import deployment set)

(since 2023.2.7)

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.8

A security advisory has been published for the DOMPurify open-source library used by an optional part (swagger-ui) of the "Spring Docs" framework for making API documentation available in DMC since version 2023.2.

Please note that "Spring Docs" is included in DMC, but disabled by default. Also, the vulnerability only affects the "Swagger" API-Testing frontend included in Spring Docs, which is neither an officially supported feature of DMC nor something users usually interact with.

Based on our understanding, a cross-site-scripting attack would only be possible if all the following conditions are met:

• the DMC_ENABLE_OPENAPI flag is set to true
• an attacker were able to introduce malicious content into the API-Testing frontend (which does not usually accept and store any user inputs)
• a DMC user were to actually visit the unsupported API-Testing frontend

Affected Versions​

• Release 2023.2 before Patch 2023.2.7
• Release 2024.1 before Patch 2024.1.4

Mitigation​

• The issue is already mitigated by the DMC default configuration.
• If DMC_ENABLE_OPENAPI is currently set to true, it is recommended to switch it to false until a patch has been applied.

Patches​

The Swagger API-Testing frontend has been removed, thereby eliminating the issue, in DMC 2023.2.7 and 2024.1.4.

All officially supported DMC functionality is unaffected by this change.

Bugfixes​

• Remove unneccessary swagger-ui dependency due to CVE-2024-45801

• Make default column mappings case-insensitive (like all column mappings)

(since 2023.2.6)

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.7

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis, the relevant vulnerability CVE-2024-38816 does not affect INFOMOTION Data Management Center as long as it is deployed according to specification:

1. Our application does not use RouterFunctions, the vulnerable component of Spring Framework.
2. DMC deployments are only supported on Tomcat application server, which by itself mitigates the issue according to the official blog post by the Spring project.
   Official Docker images published by INFOMOTION also use Tomcat as an application server, as does the "standalone deployment" available since DMC version 2024.1.

If you have further questions, please create a DMC support ticket via eMail.

Bugfixes​

• Fix permissions check when editing table/data permissions

• Fix displaying deleted records with very long texts in historical view

• Correct import of tables with names ending in digits

• Update to Spring 5.3.38 because of CVE-2024-38809

(since 2023.2.5)

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.6

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.5

Bugfixes​

• Deadlock-Vermeidung durch sequentielles Löschen mehrere Tabellen

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.4

Bugfixes​

• Update auf Spring 5.3.34 wegen CVE-2024-22259
• Zu kurze VARCHAR-Felder verlängert (insbes. QS-Regel-SQL)..")
• Fehlerhafter Metadaten-Cache nach fehlgeschlagenem Import bereinigt

Verbesserungen​

• Verbesserte Fehlermeldungen beim Import

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.3

Bugfixes​

• Fehler bei der Migration alter Metadaten auf Oracle verhindern (Verdoppelung,...
• Historisierungs-Fehler beim Kopieren von Datensätzen behoben
• Vergangene Uploads mit ungültiger Dateiendung von Verarbeitung ausnehmen, um Fehler zu vermeiden
• Uploads mit ungültiger Dateiendung direkt abweisen

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.2

Änderungen​

• Löschen historischer Daten beim Tabellen-Import konfigurierbar
• Korrekte Reihenfolge für neue DB-Spalten beim Import
• Automatische Release-Notes & Angepasst CI-Regeln für Builds
• Bugfix: Neu angelegte Spalten nicht inline bearbeitbar

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.1

Bugfixes​

• Bugfix für CSV-Import
• Fix für Demo-Content-Import
• Abhängigkeit "Logback" aktualisiert

Docker-Image: infomotiondmc.azurecr.io/dmc:2023.2.0

Features​

• Unterstützung von Parametern in Commands (Backend)
• Datenbankmeldungen in Maske anzeigen
• Command-Ausführung kann QS-Cache aktualisieren
• HTML in Tabellenbeschreibung erlauben
• Löschen von historischen Daten beim Tabellenimport konfigurierbar