18 Posts getaggt mit "Security"

Two vulnerabilities CVE-2026-24734 and CVE-2025-66614 have been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2024.2.15 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

(since 2024.2.14)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.2.15

Two vulnerabilities CVE-2026-24734 and CVE-2025-66614 have been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2025.2.3 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

Bugfixes​

• Fix: Suggested admin mapping (import-dialog) is now correctly displayed on Date, Filename, DateTime, Rownumber columns
• Fix: Missing English translations for Qs-Mail-Task-Form

(since 2025.2.2)

Container Image: infomotiondmc.azurecr.io/dmc@sha256:e70a0ebe090ebaec02160451d975bde46c99c743406366494eedfd115e6c318c WAR File : https://dmcwiki.blob.core.windows.net/dmc-releases/2025.2.3/dmc.war (sha256: bfd86054cd14e7c2674de88d4231ee31cf97931c5648a08b421d88ac0e41a04e)

Two vulnerabilities CVE-2025-55752 and CVE-2025-55754 have been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2024.2.13 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

(since 2024.2.12)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.2.13

Two vulnerabilities CVE-2025-55752 and CVE-2025-55754 have been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2024.2.13 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.
(since 2025.1.4)

Container Image: infomotiondmc.azurecr.io/dmc@sha256:6297c90cb72a67bcb6b1c8b8537b9f5bc82ff326292b73363d5ced718dd1b800

WAR File : https://dmcwiki.blob.core.windows.net/dmc-releases/2025.1.5/dmc.war (sha256: 49402986017c752e665d4d674427bc8279a76c86d60521d311d9fb12c19d568a)

A version of the Microsoft JDBC Driver for SQL Server is included in the INFOMOTION Data Management Center package and used across all deployment options. We are now releasing an updated version 2024.2.12 of Data Management Center that includes a patched version of the Microsoft JDBC Driver for SQL Server to address CVE-2025-59250.

Bugfixes​

• Fix: Table-UI (List of tables) did not update when a table was deleted

(since 2024.2.11)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.2.12

A version of the Microsoft JDBC Driver for SQL Server is included in the INFOMOTION Data Management Center package and used across all deployment options. We are now releasing an updated version 2025.1.4 of Data Management Center that includes a patched version of the Microsoft JDBC Driver for SQL Server to address CVE-2025-59250.

Bugfixes​

• fix(import): Ensure upsert behavior when using custom primary key instead of insert-only
• fix: Table inMemory could not be updated due to JSON parsing discrepancy
• fix: Data page does not update on page change
• fix: Applying TableFilters caused IndexOutOfBounds-Error
• Fix: Table-UI (List of tables) did not update when a table was deleted

(since 2025.1.3)

Container Image: infomotiondmc.azurecr.io/dmc@sha256:5dcdb35ce61e2b08836b3125e54869d624f75f14f10d2e50feff9c6b47711a0e WAR File : https://dmcwiki.blob.core.windows.net/dmc-releases/2025.1.4/dmc.war (sha256: c44bad4cf8d894f25a01daf47c36f7bbd7f891107a691496885bf2b5a09a327b)

CVE-2025-41242​

A vulnerability in the Spring Framework CVE-2025-41249 has been reported. The INFOMOTION Data Management Center (DMC) includes the Spring Framework as part of its package.

Based on our analysis and existing automated tests of authorization procedures, we do not believe Data Management Center to be impacted by the vulnerability.

Nonetheless, we are now releasing an updated version 2024.2.11 of Data Management Center that includes a patched version of the Spring Framework.

Dependency Upgrades​

• Upgrade Spring Boot from 6.2.10 to 6.2.11.

Features​

• Added ENV Parameter DMC_TRIM_ALL_NON_PKS to trim all non-primary-key fields.

Bugfixes​

• Ensured proper rollback of caches when DeploymentSet import fails due to exceptions.
• Fixed incorrect validation in Trigger Form.
• Fixed incorrect validation in Task Form.
• Fixed translation error in Table-View.
• Resolved error in Admin-Task-View caused by invalid commands missing a tableId. Added a tooltip to indicate when a command is invalid and will not be scheduled.
• Improved error message for Objects not found: COMMAND #-2147483648 when deleting a command referenced by a task.
• Editing is now possible when domain values are invalid; outdated entries (not part of the list of values) are shown with a warning.
• Fixed issue where entries could not be deleted if a primary key field was set to null.
• Scheduled commands that fail due to a missing command are now automatically unscheduled.

(since 2024.2.10)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.2.11

CVE-2025-41242​

A vulnerability in the Spring Framework CVE-2025-41249 has been reported. The INFOMOTION Data Management Center (DMC) includes the Spring Framework as part of its package.

Based on our analysis and existing automated tests of authorization procedures, we do not believe Data Management Center to be impacted by the vulnerability.

Nonetheless, we are now releasing an updated version 2025.1.3 of Data Management Center that includes a patched version of the Spring Framework.

Dependency Upgrades​

• Upgrade Spring Boot from 6.2.10 to 6.2.11.

Features​

• Added ENV Parameter DMC_TRIM_ALL_NON_PKS to trim all non-primary-key fields.

Bugfixes​

• Ensured proper rollback of caches when DeploymentSet import fails due to exceptions.
• Fixed incorrect validation in Trigger Form.
• Fixed incorrect validation in Task Form.
• Fixed translation error in Table-View.
• Resolved error in Admin-Task-View caused by invalid commands missing a tableId. Added a tooltip to indicate when a command is invalid and will not be scheduled.
• Improved error message for Objects not found: COMMAND #-2147483648 when deleting a command referenced by a task.
• Editing is now possible when domain values are invalid; outdated entries (not part of the list of values) are shown with a warning.
• Fixed issue where entries could not be deleted if a primary key field was set to null.
• Scheduled commands that fail due to a missing command are now automatically unscheduled.

(since 2025.1.2)

Container Image: infomotiondmc.azurecr.io/dmc@sha256:bd1d896e0ff996c19ebcb9bb197db5905b213eb4636721921e15fc4ca7b6d202 WAR File : https://dmcwiki.blob.core.windows.net/dmc-releases/2025.1.3/dmc.war (sha256: 2246bdebba17989ad468f89433f4bb5fe21e09a8973273f923ac00e8623c2d4c)

CVE-2025-48989​

A vulnerability CVE-2025-48989 has been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2024.2.10 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

CVE-2025-41242​

A vulnerability CVE-2025-41242 has been disclosed, affecting certain Spring Framework MVC applications in non-compliant servlet environments.

The INFOMOTION Data Management Center (DMC) includes the Spring Framework as part of its package.
We are now releasing an updated version 2024.2.10 of Data Management Center that includes a patched version of Spring Framework.

Please note:

• Deployments of DMC using the embedded Tomcat servlet container are not affected by this vulnerability, since Tomcat properly rejects malicious path sequences.
• Nevertheless, we include the patched Spring Framework in this release to ensure ongoing security and compatibility.
• If DMC is deployed within a custom servlet container, that environment should be checked and updated accordingly.

Dependency Upgrades​

• Upgrade Tomcat from 10.1.43 to 10.1.44 to avoid potential issues with CVE-2025-48989.
• Upgrade Spring Boot from 6.2.8 to 6.2.10 to avoid potential issues with CVE-2025-41242

Bugfixes​

• Fixed an issue where List-of-Values without a filterColumn failed with cryptic errors.
• Fixed an issue where the checkmark on the update view is shows the incorrect state.
• Fixed an issue where QS rules were not revalidated when the table changes, which resulted in invalid SQLs.
• Fixed an issue where commands configured with QA CHECK BEFORE EXECUTION and Abort on error failed with a INTERNAL_SERVER_ERROR if no QA rules were defined.
• Fixed a header configuration error within table/{tableId}/data/delete.
• Prevented use of SQL keywords in columnName or title during Create-Table-Process.
• Fixed cryptic errors in the TablePerm workflow.
• Fixed a deserialization error for table permissions during the create process.
• Fixed an issue where the view did not update after importing a Deployment Set.
• Fixed an issue where attempting to rename a column during deployment-import lead to cryptic error message

Improvements​

• Enhanced Field descriptions within Input-Data fields.

(since 2024.2.9)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.2.10

CVE-2025-48989​

A vulnerability CVE-2025-48989 has been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2025.1.2 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

CVE-2025-41242​

A vulnerability CVE-2025-41242 has been disclosed, affecting certain Spring Framework MVC applications in non-compliant servlet environments.

The INFOMOTION Data Management Center (DMC) includes the Spring Framework as part of its package.
We are now releasing an updated version 2025.1.2 of Data Management Center that includes a patched version of Spring Framework.

Please note:

• Deployments of DMC using the embedded Tomcat servlet container are not affected by this vulnerability, since Tomcat properly rejects malicious path sequences.
• Nevertheless, we include the patched Spring Framework in this release to ensure ongoing security and compatibility.
• If DMC is deployed within a custom servlet container, that environment should be checked and updated accordingly.

Dependency Upgrades​

• Upgrade Tomcat from 10.1.43 to 10.1.44 to avoid potential issues with CVE-2025-48989.
• Upgrade Spring Boot from 6.2.8 to 6.2.10 to avoid potential issues with CVE-2025-41242

Bugfixes​

• Fixed an issue where List-of-Values without a filterColumn failed with cryptic errors.
• Fixed an issue where the checkmark on the update view is shows the incorrect state.
• Fixed an issue where QS rules were not revalidated when the table changes, which resulted in invalid SQLs.
• Fixed an issue where commands configured with QA CHECK BEFORE EXECUTION and Abort on error failed with a INTERNAL_SERVER_ERROR if no QA rules were defined.
• Fixed a header configuration error within table/{tableId}/data/delete.
• Prevented use of SQL keywords in columnName or title during Create-Table-Process.
• Fixed cryptic errors in the TablePerm workflow.
• Fixed a deserialization error for table permissions during the create process.
• Fixed an issue where the view did not update after importing a Deployment Set.
• Fixed an issue where attempting to rename a column during deployment-import lead to cryptic error message

Improvements​

• Enhanced Field descriptions within Input-Data fields.

(since 2025.1.1)

Container Image: infomotiondmc.azurecr.io/dmc@sha256:2393a32c3c7bfa9c93813a3bd932f5eb0315fd283cba46481496c0a2d30b5c61 WAR File : https://dmcwiki.blob.core.windows.net/dmc-releases/2025.1.2/dmc.war (sha256: 9738ab489ed60937bff5216b0311f3aee3d0296b642ecb260f58b00eb23f87f3)

Two separate vulnerabilities CVE-2025-53506 and CVE-2025-52520 have been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2024.2.9 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

Dependecy Upgrades​

• Upgrade to Spring Boot 3.4.8 including embedded Tomcat 10.1.43 to avoid potential issues with CVE-2025-53506 and CVE-2025-52520

(since 2024.2.8)

Docker-Image: infomotiondmc.azurecr.io/dmc:2024.2.9

Two separate vulnerabilities CVE-2025-53506 and CVE-2025-52520 have been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options. We are now releasing an updated version 2025.1.1 of Data Management Center that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

Dependecy Upgrades​

• Upgrade to Spring Boot 3.4.8 including embedded Tomcat 10.1.43 to avoid potential issues with CVE-2025-53506 and CVE-2025-52520

(since 2025.1.0)

Container Image: infomotiondmc.azurecr.io/dmc@sha256:582f38135d34b032f7d928791c4db8b6532e3fbe8190a1c2e8b8bb85fd7b8756 WAR File : https://dmcwiki.blob.core.windows.net/dmc-releases/2025.1.1/dmc.war (sha256: 4925e519a125eb9b615ee12d75f8ebf1008c46109504738758204946b08c5d31)

A vulnerability CVE-2025-24813 has been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat it is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options.

While the vulnerability is flagged as potentially having a critical impact, the published information lists very specific preconditions. Based on our understanding, the information disclosure and remote code execution scenarios depend (among others) on the following preconditions being met:

• The Tomcat default servlet must be enabled
• Additionally, it must be configured enable writes

Both of these are not given in the INFOMOTION Data Management Center:

• The Tomcat Default Servlet is not enabled within DMC.
• Also, the servlet is read-only by default unless explicitly configured otherwise, which DMC does not do.

Nonetheless, we will be releasing an updated version 2024.2.4 of Data Management Center shortly that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.

Oracle has published a Security Advisories for Java as part of it's Januar 2025 Critical Patch Update Advisory that is relevant for INFOMOTION Data Management center under certain conditions:

• Generally speaking, Java is not part of DMC itself, which is therefore not directly affected.
• However, the pre-built container images we distribute since Release 2024.1 contain a Java Runtime Environment (Java version 17).

CVE-2025-21502 has been classified by Oracle as a low-impact and high-complexity attack on Java versions up to 17.0.13. Unfortunately, there is not enough information available yet to be able to asses if and how INFOMOTION Data Management Center might be affected by the issue in the underlying JRE.

As a precaution we are releasing an updated DMC version 2024.2.1.

In addition to two bugfixes (see release notes), the container images published for this patch update the JRE to version 17.0.14 which, according to the published information, is not affected by either CVE.

If you have further questions, please create a DMC support ticket via eMail.

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis and the available information, the relevant vulnerability CVE-2024-38828 does not affect INFOMOTION Data Management Center.

The vulnerable components of Spring Framework ("Spring MVC controller methods with an @RequestBody byte[] method parameter") are not used by our application.

If you have further questions, please create a DMC support ticket via eMail.

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

It describes a new vulnerability, similar to CVE-2024-38816 which we have previously reported on.

Based on our analysis, this new vulnerability CVE-2024-38819 does not affect INFOMOTION Data Management Center, since our application does not use the vulnerable "functional" components of Spring Framework.

If you have further questions, please create a DMC support ticket via eMail.

A security advisory has been published for the DOMPurify open-source library used by an optional part (swagger-ui) of the "Spring Docs" framework for making API documentation available in DMC since version 2023.2.

Please note that "Spring Docs" is included in DMC, but disabled by default. Also, the vulnerability only affects the "Swagger" API-Testing frontend included in Spring Docs, which is neither an officially supported feature of DMC nor something users usually interact with.

Based on our understanding, a cross-site-scripting attack would only be possible if all the following conditions are met:

• the DMC_ENABLE_OPENAPI flag is set to true
• an attacker were able to introduce malicious content into the API-Testing frontend (which does not usually accept and store any user inputs)
• a DMC user were to actually visit the unsupported API-Testing frontend

Affected Versions​

• Release 2023.2 before Patch 2023.2.7
• Release 2024.1 before Patch 2024.1.4

Mitigation​

• The issue is already mitigated by the DMC default configuration.
• If DMC_ENABLE_OPENAPI is currently set to true, it is recommended to switch it to false until a patch has been applied.

Patches​

The Swagger API-Testing frontend has been removed, thereby eliminating the issue, in DMC 2023.2.7 and 2024.1.4.

All officially supported DMC functionality is unaffected by this change.

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis, the relevant vulnerability CVE-2024-38816 does not affect INFOMOTION Data Management Center as long as it is deployed according to specification:

1. Our application does not use RouterFunctions, the vulnerable component of Spring Framework.
2. DMC deployments are only supported on Tomcat application server, which by itself mitigates the issue according to the official blog post by the Spring project.
   Official Docker images published by INFOMOTION also use Tomcat as an application server, as does the "standalone deployment" available since DMC version 2024.1.

If you have further questions, please create a DMC support ticket via eMail.