11 Posts getaggt mit "2024.1"

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis and the available information, the relevant vulnerability CVE-2024-38828 does not affect INFOMOTION Data Management Center.

The vulnerable components of Spring Framework ("Spring MVC controller methods with an @RequestBody byte[] method parameter") are not used by our application.

If you have further questions, please create a DMC support ticket via eMail.

Bugfixes​

• Revert paginator to show row numbers instead of page numbers

• Upgrade Spring Framework out of caution relating to CVE-2024-38819

(since 2024.1.5)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.6

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

It describes a new vulnerability, similar to CVE-2024-38816 which we have previously reported on.

Based on our analysis, this new vulnerability CVE-2024-38819 does not affect INFOMOTION Data Management Center, since our application does not use the vulnerable "functional" components of Spring Framework.

If you have further questions, please create a DMC support ticket via eMail.

Bugfixes​

• Avoid potential deadlocks when deleting many cached objects at once...
• Avoid various (transient) error messages when deleting many tables at once
• Fix NG0100 'changed after checked' frontend error in certain conditions

Improvements​

• Frontend improvements for long-running operations (delete multiple tables, import deployment set)

(since 2024.1.4)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.5

A security advisory has been published for the DOMPurify open-source library used by an optional part (swagger-ui) of the "Spring Docs" framework for making API documentation available in DMC since version 2023.2.

Please note that "Spring Docs" is included in DMC, but disabled by default. Also, the vulnerability only affects the "Swagger" API-Testing frontend included in Spring Docs, which is neither an officially supported feature of DMC nor something users usually interact with.

Based on our understanding, a cross-site-scripting attack would only be possible if all the following conditions are met:

• the DMC_ENABLE_OPENAPI flag is set to true
• an attacker were able to introduce malicious content into the API-Testing frontend (which does not usually accept and store any user inputs)
• a DMC user were to actually visit the unsupported API-Testing frontend

Affected Versions​

• Release 2023.2 before Patch 2023.2.7
• Release 2024.1 before Patch 2024.1.4

Mitigation​

• The issue is already mitigated by the DMC default configuration.
• If DMC_ENABLE_OPENAPI is currently set to true, it is recommended to switch it to false until a patch has been applied.

Patches​

The Swagger API-Testing frontend has been removed, thereby eliminating the issue, in DMC 2023.2.7 and 2024.1.4.

All officially supported DMC functionality is unaffected by this change.

Bugfixes​

• Remove unneccessary swagger-ui dependency due to CVE-2024-45801

(since 2024.1.3)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.4

Bugfixes​

• Make default column mappings during import case-insensitive like all other import mappings

• Fix an error occurring when sorting by hist_from in specific cases for MSSQL database

(since 2024.1.2)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.3

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis, the relevant vulnerability CVE-2024-38816 does not affect INFOMOTION Data Management Center as long as it is deployed according to specification:

1. Our application does not use RouterFunctions, the vulnerable component of Spring Framework.
2. DMC deployments are only supported on Tomcat application server, which by itself mitigates the issue according to the official blog post by the Spring project.
   Official Docker images published by INFOMOTION also use Tomcat as an application server, as does the "standalone deployment" available since DMC version 2024.1.

If you have further questions, please create a DMC support ticket via eMail.

Bugfixes​

• Fix permissions check when editing table/data permissions
• Use application timezone instead of UTC for hist_from/hist_until timestamps in H2
• Increase maximum number of digits for numeric columns on H2 database
• Fix issue with importing demo content on MSSQL 2019 database
• Prevent invalid values from being entered into 'date' and 'datetime' columns
• Correct import of tables with names ending in digits
• Update to Spring 6.1.12 because of CVE-2024-38809

Improvements​

• Allow at least partial startup & debug output when configuration is missing

(since 2024.1.1)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.2

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.1

Bugfixes​

• Deadlock beim gleichzeitigen Löschen vieler Tabellen vermeiden

Verbesserungen​

• Add HSTS headers when using SSL

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.1.0

Features​

• Zugriff auf Logdaten über Actuator-Endpoint
• Text-Felder mit URLs werden als anklickbare Links dargestellt
• Spalten können als "verpflichtend" markiert werden
• Spring Boot Actuator Endpoints für health,env,loggers,metrics
• Trimmen von Leerzeichen in Nichtschlüssel-Spalten