i-net Clear Reports

Overview

  • Memory management for systems with a large heap (>= 4 GB) was improved
  • The version number of plugins now consists of 3 parts
  • The plugin “Web Server Defender” added to protects against DoS and account hacking using brute force
  • The cookie attribute “SameSite” can now be set. The default value is Lax
  • Search bar and ticket views now also support an OR search with the keywords “or”, “||” and “|”
  • Embedded web pages now also supports the linking (redirect) of web pages. Additional rights management based on “users and groups” memberships

Security

  • Jetty version updated because of:
    • CVE-2020-27216
      • In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
    • CVE-2020-13956
      • Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution
    • CVE-2020-27218
      • In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request
    • CVE-2020-27223
      • In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values
  • Guava version updated to 30.1 because of CVE-2020-8908
    • A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured
  • Cron-utils updated to version 9.1.3 because of ​https://nvd.nist.gov/vuln/detail/CVE-2020-26238
  • Security Update for CVE-2020-1967
    • Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f)
  • Security Update for CVE-2021-20328
    • Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption

Authentication

New Features / Improvements

  • Generic OpenID Connect (OIDC) authentication provider added
  • Azure OpenID Connect (OIDC) authentication provider added

Fixed Bugs

  • Permission check for the WebAPI has not worked in connection with the default Windows Authentication

SDK

New Features / Improvements

  • Sample plugin for Custom OAuth provider added

Task Planner

New Features / Improvements

  • New Task Planner Job added to determine the free disk space in the working directory, cache and persistence directories. A threshold for minimum available disk space can be defined to trigger actions when there is not enough disk space left

Fixed Bugs

  • Triggering of time-trigger interval 'Two Weeks' was in wrong week at the beginning of a new year

Help Pages

Fixed Bugs

  • Rare error “RejectedExecutionException: Thread limit exceeded replacing blocked worker” occured in the help pages
 

© Copyright 1996 - 2021, i-net software; All Rights Reserved.