Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Other than the information below, there are no changes to these releases.
1. Windows 10 Creators Update Bug
As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.
Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).
2. Web Services Updates
DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.
During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario.
There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.
- Fix for XXE vulnerability of web services parser
- Fix for exponential entity expansion vulnerability of web services parser
- Fixed a bug where HTTP POST requests without a body to a JSON Web Service would cause a crash
Updates are available now...
The new components have been published for DataFlex 18.2 (original release date of July 2016).
As an alternative, a ZIP file (DataFlex18.2Update.zip) that contains the two changed components that can be applied to existing installations.
Data Access Worldwide Recommends...
For DataFlex 2016/18.2, we recommend uninstalling version 18.104.22.168 and then installing the updated DataFlex 22.214.171.124. If you elect to update your environments with the DataFlex18.2Update.zip file, follow the instructions included in the ZIP.
The updated DataFlex 126.96.36.199 installations also contain the latest SQL Drivers (188.8.131.52) and related documentation. If you apply the virtual machine and web services updates manually with the DataFlex18.2Update.zip file, we recommend updating to the latest SQL drivers at the same time. You can obtain the SQL Driver update at: https://www.dataaccess.eu/resources/downloads/download-category/download-subcategory-842?dagapsg=80