Help
{{sidenavigation.sidenavigationExpandLabel}}
{{banner.text}} {{banner.linkText||banner.linkHref}}
{{getMsg('Help_YouAreHere')}}: {{page.title}} {{page.title}}
{{$root.getMsg("downLoadHelpAsPdf")}} {{helpModel.downloadHelpPdfDataStatus}}

System CoreActive

The following information is derived from the plugin description.

The System Core represents the most vital, internal component, required to start the underlying application.

It is responsible for loading the plugins, tying every aspect of the application together - allowing a broad flexibility for applications based-up on the System Core.

Besides bootstraping a specific application, such as i-net Clear Reports, i-net PDFC, i-net HelpDesk and i-net CoWork, it includes a Recovery Manager and standalone Help Application (both require additional plugins).

Migration Information

Migration to Version 24.4

  • The minimum required Java version is Java 17.
  • The JWebEngine.jar has been removed and is now replaced by the htmlengine plugin. This is a core plugin and must be included in the plugins directory at all times. Otherwise the server is not going to start.

Migration to Version 23.10

  • The version 23.10 is the last version that supports:
    • Java 11
    • Jakarta EE 8 application server
    • Servlet Specification 3.1
    • WebSocket 1.1

Migration to Version 23.4

  • The Docker Containers have been updated to run with a restricted user instead of the root users.
    • The new restricted users id and group id are 1000.
    • Host mounted volumes have to be updated to reflect the new user and group id manually.
    • Host mounted volumes mount points of the users home directory have to be updated from /root to /home/<username>. The <username> is determined using the whois command in the container
    • Additional information is available from our FAQ: https://faq.inetsoftware.de/t/upgrading-to-user-restricted-docker-container/277

Changelog Information

Changes in version 24.10

  • The bundled Eclipse Temurin Java VM was updated to version 21.0.5.
  • Docker Images are available for amd64 as well as arm64v8 platforms. That means that pulling an image by it's tag will automatically load a platform specific docker image.
  • Remote Recovery can also be used via HTTPS if it is configured in the server.
  • Supports the unequal search of phrases in quotation marks in the form: field:<>"text phrase".

Changes in version 24.4

  • The bundled Eclipse Temurin Java VM was updated to version 21.0.3.
  • Added support for Java version 22

Fixed Bugs

  • User search result entries will avoid displaying the same value in the top and bottom lines.

Security Fixes

  • System Permissions are enabled by default during new installations.
  • Security Update for CVE-2024-30172
    • An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Changes in version 23.10

  • When searching "Date field:<date", the day of the date is no longer included in the search result.
  • Added DynamoDB persistence property TablePrefix.
  • All web server responses with a status code of 400 or higher are stored in an additional event log. They can be checked with the statistics and diagnostics plugins.
  • The order of authentication providers without settings can be changed in the Configuration Manager.
  • Added security.txt configuration option. The content of this option will be sent to clients requesting the /.well-known/security.txt file.
  • The guest account no longer has administrative permissions for security reasons, even if there are no restrictions on permissions (systempermission.enabled=false). Administrative permissions of the guest account must be explicitly activated if required (guest.full.permissions=true).
  • Does not override the system property "javax.net.ssl.trustStoreType" if already set.

Fixed Bugs

  • Fixes broken Digist authentication with Chrome browser.

Security Fixes

  • Security Update for CVE-2023-35116
    • An issue was discovered jackson-databind thru 2.15.2 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.
  • Security Update for CVE-2018-1002208
    • SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
  • Security Update for CVE-2021-32840
    • SharpZipLib is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry ../evil.txt may be extracted in the parent directory of destFolder. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
  • Security Update for CVE-2023-5072
    • Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 
  • Security Update for CVE-2023-44487
    • The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
  • Security Update for CVE-2023-22102
    • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
  • Security Update for CVE-2023-34062
    • In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.
    • Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.
  • Security Update for CVE-2024-25710
    • Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
  • Security Update for CVE-2024-22201
    • Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
  • Security Update for CVE-2023-51775
    • The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
  • Security Update for CVE-2024-30172
    • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Changes in version 23.4

  • Eventlog entries are also written in Recovery Manager.
  • Configuration action in Login category added to reset authentication group members.

Security Fixes

  • Security Update for CVE-2022-36033
    • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
  • Security Update for CVE-2020-13946
    • In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
  • Security Update for CVE-2022-42003
    • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
  • Security Update for CVE-2022-31684
    • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
  • Security Update for CVE-2022-41946
    • pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
  • Security Update for CVE-2021-37533
    • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
  • Security Update for CVE-2022-23494
    • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
  • Security Update for CVE-2022-41915
    • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.
  • Security Update for CVE-2023-22551
    • The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
  • Security Update for CVE-2023-24998
    • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
  • Security Update for CVE-2022-45688
    • A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
  • Security Update for CVE-2022-45688
    • Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
  • Security Update for CVE-2024-30172
    • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Changes in version 22.10

  • Installer for macOS using Apple Silicon is available
  • The bundled Eclipse Temurin Java VM is version 17.0.13
  • Added support for DynamoDB persistence
  • Added support for the HTTP header Forward (RFC 7329) for use with reverse proxies.
  • Database Persistence accepts any configuration scope (USER or SYSTEM) and can also run as a non-root account.

Security Fixes

  • Added option to disable the "Stay logged in" feature for all users.
  • Security Update for CVE-2020-36518
    • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
  • Security Update for CVE-2022-24823
    • Netty is an open-source, asynchronous event-driven network application framework. The package ''io.netty:netty-codec-http'' prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own ''java.io.tmpdir'' when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
  • Security Update for CVE-2021-23792
    • The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
  • Security Update for CVE-2022-21363
    • Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
  • Security Update for CVE-2020-11023
    • In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
  • Security Update for CVE-2022-2191
    • In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
  • Security Update for CVE-2022-2047
    • In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
  • Security Update for CVE-2022-31160
    • jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ''.checkboxradio( "refresh" )'' on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the ''label'' in a ''span''.
  • Security Update for CVE-2022-31197
    • PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the ''java.sql.ResultRow.refreshRow()'' method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. '';'', could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the ''ResultSet.refreshRow()'' method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the ''refreshRow()'' method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as ''42.2.26'' and ''42.4.1''. Users are advised to upgrade. There are no known workarounds for this issue.
  • Security Update for CVE-2022-31129
    • moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
  • Security Update for CVE-2022-36033
    • jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including ''javascript:'' URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default ''SafeList.preserveRelativeLinks'' option is enabled, HTML including ''javascript:'' URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable ''SafeList.preserveRelativeLinks'', which will rewrite input URLs as absolute URLs - ensure an appropriate [[https:*developer.mozilla.org/en-US/docs/Web/HTTP/CSP|Content Security Policy]] is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
  • Security Update for CVE-2022-42003
    • In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
  • Security Update for CVE-2022-31684
    • Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.
  • Security Update for CVE-2021-37533
    • Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https:*issues.apache.org/jira/browse/NET-711.
  • Security Update for CVE-2022-23494
    • tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the image plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the images_upload_handler returns a valid value as per the images_upload_handler documentation.
  • Security Update for CVE-2022-41915
    • Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator) call, into a remove() call, and call add() in a loop over the iterator of values.
  • Security Update for CVE-2023-24998
    • Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Changes in version 22.4

  • The bundled AdoptOpenJDK 17 was updated to Eclipse Temurin Java VM 17.0.4.1.
  • Two factor authentication supported.
  • Prevent side load of plugins for wrong application version.
  • It is now supported to use Web-Push notifications.
  • MeetUp has grown up, is called i-net CoWork and is now also available as a separate product.

Fixed Bugs

  • Fixed a bug breaking the User Manager web interface if the country of the server is not valid.
  • Fixed a bug with searching digits and number data types which has produce the error: IllegalArgumentException: Empty left and right operand in search condition
  • Fixed a deadlock with OpenJ9 Java VM when starting the server via API.

Security Fixes

  • Fixed a thread bug that allowed a user to run single requests in another users security context.
  • Security Update for CVE-2021-37136
    • The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
  • Security Update for CVE-2021-37137
    • The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
  • Security Update for CVE-2020-21913
    • International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.
  • Security Update for CVE-2021-4126
    • No information available.
  • Security Update for CVE-2021-43797
    • Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
  • Security Update for CVE-2021-41182
    • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.
  • Security Update for CVE-2021-41183
    • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.
  • Security Update for CVE-2021-41184
    • jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.
  • Security Update for CVE-2020-36518
    • jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
  • Security Update for CVE-2022-24785 and CVE-2022-31129
    • Upgraded library momentjs to version 2.29.4.

Changes in version 21.10

  • The bundled AdoptOpenJDK 11 was updated to version 11.0.15
  • Java 17 supported
  • Update of old versions is now limited. If you are using an unsupported old version, an update to an intermediate version is required
  • It is allowed to create a Let's Encrypt certificate with a callback to the HTTPS port. Problems with redirect to HTTPS and if the server runs only on HTTPS are solved
  • Added QR code to the error page, linking to a help page which may have further details
  • Different ports, configured in the configuration Web Server dialog, use different HTTP sessions
  • An error message occurred during setup if redirect to HTTPS is enabled
  • The plugins dialog in the configuration of the server was replaced by the Plugin Store

Fixed Bugs

  • Fixed embedded fonts for .NET viewer (error message: Could not create font with ID 1).

Security Fixes

  • Fixed a thread bug that allowed a user to run single requests in another users security context.
  • Security Update for CVE-2021-29425
    • In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like ''%%"//../foo", or "\..\foo"%%'', the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value
  • Security Update for CVE-2021-28165
    • In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame
  • Security Update for CVE-2021-28169
    • For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application
  • Security Update for CVE-2021-34428
    • For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
  • Security Update for CVE-2021-21409
    • Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final
  • Security Update for CVE-2021-31812
    • In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions
  • Security Update for CVE-2021-36090
    • When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package
  • Security Update for CVE-2021-35517
    • When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package
  • Security Update for CVE-2021-37714
    • jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes

Changes in version 21.4

  • Memory management for systems with a large heap (>= 4 GB) was improved
  • The version number of plugins now consists of 3 parts
  • The plugin "Web Server Defender" added to protects against DoS and account hacking using brute force
  • The cookie attribute "SameSite" can now be set. The default value is Lax
  • Search bar and ticket views now also support an OR search with the keywords "or", "||" and "|"
  • Embedded web pages now also supports the linking (redirect) of web pages. Additional rights management based on "users and groups" memberships
  • Generic OpenID Connect (OIDC) authentication provider added
  • Azure OpenID Connect (OIDC) authentication provider added
  • Sample plugin for Custom OAuth provider added

Fixed Bugs

  • OAuth authentication (Azure) with Safari browser was not possible
  • Permission check for the WebAPI has not worked in connection with the default Windows Authentication
  • URL was wrong after signup with any OAuth authentication provider like Azure and if a reverse proxy (like default.aspx for IIS) was used

Security Fixes

  • Jetty version updated because of:
    • CVE-2020-27216
      • In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability
    • CVE-2020-13956
      • Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution
    • CVE-2020-27218
      • In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request
    • CVE-2020-27223
      • In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of &#8220;quality&#8221; (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values
  • *Guava version updated to 30.1 because of CVE-2020-8908**
    • A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured
  • Cron-utils updated to version 9.1.3 because of ​https://nvd.nist.gov/vuln/detail/CVE-2020-26238
  • Security Update for CVE-2020-1967
    • Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f)
  • Security Update for CVE-2021-20328
    • Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server&#8217;s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don&#8217;t use Field Level Encryption
Version: 24.10.284 (2025-01-18)
i-net CoWork
This application uses cookies to allow login. By continuing to use this application, you agree to the use of cookies.


Help - System Core