Release 10.12
Explore the fixes for Software AG Cloud version 10.12.
Fixes
No subtopics in thissection
| Version | Issue ID | Release Date | Description |
|---|---|---|---|
| 10.12.0.3 | SCI-5925 | June 08, 2022 | Erroneous date and time format in Software AG Cloud. In the Administration > User profile page, the date format was wrong, which is now fixed. |
| 10.12.0.3 | SCI-5715 | June 08, 2022 | Vulnerable 3rd Party Component in Spring framework. In Spring framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. See: https://tanzu.vmware.com/security/cve-2022-22950. Upgraded the application to the safest version of Spring-core (5.3.18). |
| 10.12.0.3 | SCI-5836 | June 08, 2022 | Vulnerable 3rd Party Component busybox. BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record’s value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal’s colors. See: https://nvd.nist.gov/vuln/detail/CVE-2022-28391. Upgraded the application to the safest version of BusyBox 1.36.0. |
| 10.12.0.3 | SCI-5838 | June 08, 2022 | Vulnerable 3rd Party Component spring-core. In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means that a field is not effectively protected, unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. See: https://nvd.nist.gov/vuln/detail/CVE-2022-22968. Upgraded the application to the safest version of Spring-core (5.3.19). |
| 10.12.0.3 | SCI-5839 | June 08, 2022 | Vulnerable 3rd Party Component liquibase-core. Improper restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0. See: https://nvd.nist.gov/vuln/detail/CVE-2022-0839. Upgraded the application to the safest version of iquibase-core 4.8.0. |
| 10.12.0.3 | SCI-5840 | June 08, 2022 | Vulnerable 3rd Party Component jackson-databind. jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. See: https://nvd.nist.gov/vuln/detail/CVE-2020-36518. Upgraded the application to the safest version of jackson-databind 2.13.2.2. |
| 10.12.0.3 | SCI-5842 | June 08, 2022 | Vulnerable 3rd Party Component commons-beanutils. In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added, which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We however were not using this by default characteristic of the PropertyUtilsBean. See: https://nvd.nist.gov/vuln/detail/CVE-2019-10086 Upgraded the application to the safest version of commons-beanutils 1.9.4. |
| 10.12.0.3 | SCI-5843 | June 08, 2022 | Vulnerable 3rd Party Component spring-webmvc, spring-beans and spring-web. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is, the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. See: https://nvd.nist.gov/vuln/detail/CVE-2022-22965. Upgraded the application to the safest version of spring-beans 5.3.19. |
| 10.12.0.2 | SCI-5952 | May 16, 2022 | Change field name in Signup Page(Basic and Advanced) - Work email to Email. |
| 10.12.0.1 | SCI-5273 | May 02, 2022 | Update the Privacy Policy and Impressum Updated the privacy policy (https://www.softwareag.com/en_corporate/privacy.html) and impressum (https://www.softwareag.com/en_corporate/impressum.html) links to the latest version. |
| 10.12.0.1 | SCI-5712 | May 02, 2022 | Security fix on 3rd party components (Spring-core) In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. Refer: cve-2022-22950: Spring Expression DoS Vulnerability. Upgraded the application to the safest version of Spring-core (5.3.18). |
| 10.12.0.1 | SCI-5798 | May 02, 2022 | Security fix on 3rd party components (Spring Security OAuth) Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack through initiation of the authorization request in an OAuth 2.0 client application. Refer: CVE-2022-22969: Spring Security OAuth Denial-of-Service Vulnerability. Upgraded the application to the safest version of Spring Security OAuth (2.5.2.RELEASE). |