Zum Hauptinhalt springen

25 Posts getaggt mit "Security"

Alle Tags anzeigen

CVE-2025-21502: Updated Container Image

Oracle has published a Security Advisories for Java as part of it's Januar 2025 Critical Patch Update Advisory that is relevant for INFOMOTION Data Management center under certain conditions:

  • Generally speaking, Java is not part of DMC itself, which is therefore not directly affected.
  • However, the pre-built container images we distribute since Release 2024.1 contain a Java Runtime Environment (Java version 17).

CVE-2025-21502 has been classified by Oracle as a low-impact and high-complexity attack on Java versions up to 17.0.13. Unfortunately, there is not enough information available yet to be able to asses if and how INFOMOTION Data Management Center might be affected by the issue in the underlying JRE.

As a precaution we are releasing an updated DMC version 2024.2.1.

In addition to two bugfixes (see release notes), the container images published for this patch update the JRE to version 17.0.14 which, according to the published information, is not affected by either CVE.

If you have further questions, please create a DMC support ticket via eMail.

CVE-2024-38828: DMC not affected

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis and the available information, the relevant vulnerability CVE-2024-38828 does not affect INFOMOTION Data Management Center.

The vulnerable components of Spring Framework ("Spring MVC controller methods with an @RequestBody byte[] method parameter") are not used by our application.

If you have further questions, please create a DMC support ticket via eMail.

CVE-2024-38819: DMC not affected

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

It describes a new vulnerability, similar to CVE-2024-38816 which we have previously reported on.

Based on our analysis, this new vulnerability CVE-2024-38819 does not affect INFOMOTION Data Management Center, since our application does not use the vulnerable "functional" components of Spring Framework.

If you have further questions, please create a DMC support ticket via eMail.

CVE-2024-45801: Mitigated by default & patches

A security advisory has been published for the DOMPurify open-source library used by an optional part (swagger-ui) of the "Spring Docs" framework for making API documentation available in DMC since version 2023.2.

Please note that "Spring Docs" is included in DMC, but disabled by default. Also, the vulnerability only affects the "Swagger" API-Testing frontend included in Spring Docs, which is neither an officially supported feature of DMC nor something users usually interact with.

Based on our understanding, a cross-site-scripting attack would only be possible if all the following conditions are met:

  • the DMC_ENABLE_OPENAPI flag is set to true
  • an attacker were able to introduce malicious content into the API-Testing frontend (which does not usually accept and store any user inputs)
  • a DMC user were to actually visit the unsupported API-Testing frontend

Affected Versions

  • Release 2023.2 before Patch 2023.2.7
  • Release 2024.1 before Patch 2024.1.4

Mitigation

  • The issue is already mitigated by the DMC default configuration.
  • If DMC_ENABLE_OPENAPI is currently set to true, it is recommended to switch it to false until a patch has been applied.

Patches

The Swagger API-Testing frontend has been removed, thereby eliminating the issue, in DMC 2023.2.7 and 2024.1.4.

All officially supported DMC functionality is unaffected by this change.

CVE-2024-38816: DMC not affected

The Spring project has published a Security Advisory concerning Spring Framework, an open-source library used by INFOMOTION Data Management Center.

Based on our analysis, the relevant vulnerability CVE-2024-38816 does not affect INFOMOTION Data Management Center as long as it is deployed according to specification:

  1. Our application does not use RouterFunctions, the vulnerable component of Spring Framework.
  2. DMC deployments are only supported on Tomcat application server, which by itself mitigates the issue according to the official blog post by the Spring project.
    Official Docker images published by INFOMOTION also use Tomcat as an application server, as does the "standalone deployment" available since DMC version 2024.1.

If you have further questions, please create a DMC support ticket via eMail.