Platform Server - 11.14.0 

Published on 2021-12-24 16:28:38
File
PlatformServer-11.14.0 (Build 34092).exe
Size
259.92 MB
Assets
Installation Checklist EN
InstallationChecklist-EN-11.14.0.html
 MB
Installation Checklist JP
InstallationChecklist-JP-11.14.0.html
 MB
Information

Compatibility
  • Compatible with Development Environment 11, versions 11.0.109.0 or later.
  • Can be managed by LifeTime 11, Release Sep.2019 or later
Additional Resources For further information on any issues, use the Support Portal.

NOTICE: OutSystems does not give support to any undesirable behavior you may experience due to the use or manipulation of undocumented components of the OutSystems platform, such as, internal JavaScript, RuntimePlatform library, database system meta-model, components in installation directories, etc.
When upgrading the Platform Server from OutSystems 10 to this version, a known issue in the system components installation prevents the upgrade from succeeding. We advise customers upgrading from OutSystems 10 to OutSystems 11 to upgrade first to 11.13.1 or wait for the next release.
Release Notes

New in Platform Server 11.14.0

Bug Fixing

  • Fixed data vulnerability due to excessive logging. CVSSv3.1 score 4.4 (Medium). (RPM-1093)
  • Fixed a broken access control vulnerability in some buttons of Service Center. CVSSv3.0 score 5.4 (Medium). (RPM-1584)
  • Fixed a security issue that could allow users to view Application details in Service Center to which they don't have permissions. Only affects environments not connected to LifeTime. CVSSv3.1 score 4.3 (Medium) (RPM-1804)
  • Fixed multiple cross-site scripting (XSS) vulnerabilities in Popup_Editor, Popup_EditorForUpload, or Popup_EditorVanilla titles. CVSSv3.1 score 3.1 (Low) (RPM-447)
  • Fixed a security vulnerability on an internal Service Center API permission requirement. CVSSv3.1 score 6.3 (Medium). (RPM-747)
  • Fixed a security issue that could lead to session fixation problems. CVSSv3.1 score 5.4 (Medium). (RPM-966)
  • Breaking Change

    • The title of the Popup_Editor, Popup_EditorForUpload, and Popup_EditorVanilla is now encoded to prevent cross-site scripting (XSS) attacks. This may cause it to appear garbled in very specific scenarios.
      Check OutSystems 11 side effects and breaking changes for more details on the breaking change and a possible workaround.

    Known Issues

    • This Platform Server version suffers from an issue where factories with more than 1000 application permissions have their platform users (e.g. LifeTime, Service Center and Service Studio) losing permissions over the applications of an environment. This issue was introduced with Platform Server 11.14.0 and has been mitigated in Platform Server 11.16.0.

    More details

    RPM-1024
    Fixed the validation of user Roles in Reactive Web Apps to ensure this step is performed only after loading the Roles information from the server.
    Application Runtime

    Fix Details:
    When the Single Sign-On Between App Types feature is on, end users performing the login on a Traditional Web App and then moving to a Reactive Web App might be redirected to the Invalid Permissions Screen, if the Default Screen is more restricted than the Registered Role.

    RPM-1041
    Fixed an issue when consuming a SOAP Web Service with HTTP transport binding.
    Application Runtime Logic Execution

    Fix Details:
    When consuming a SOAP Web Service, the expected protocol transport element was not being fetched correctly. This happened specifically for the "http://www.w3.org/2003/05/soap/bindings/HTTP/” transport element.

    RPM-1075
    Now, using DbCleaner API to delete a multi-tenant entity, event entity, or a multilingual static entity, also deletes the database objects associated with those entities.
    Application Runtime System Components

    Fix Details:
    When deleting an entity using the DbCleaner API several database objects associated with the entity weren't deleted. This issue occurred in the following cases:

    • Deleting a static entity containing translations, kept the multilingual tables and views.
    • Deleting an entity containing events, kept the event related tables.
    • Deleting a multi-tenant entity, kept the tenant views.
    Now, when deleting these entities, DbCleaner deletes the associated database objects.

    RPM-1093
    Fixed data vulnerability due to excessive logging. CVSSv3.1 score 4.4 (Medium).
    Infrastructure Management Platform Installer

    Fix Details:
    Fixed an SSRF vulnerability that could cause information exposure through log files. To protect our customers, we're not providing further details on this fix.

    RPM-1115
    Fixed an issue that was blocking the activation/deactivation of Timers in cloned modules.
    Application Lifecycle Service Center

    Fix Details:
    When trying to Activate/Deactivate a Timer of a module in the Service Center console, the operation has no effect and the NextRun value remains unchanged, although the feedback message confirms the change. This issue occurred only for modules that were cloned from modules with Timers.

    RPM-1118
    Fixed an issue that could cause incorrect code generation for SQL nodes with expand inline parameters in Oracle databases, after upgrading the Platform Server component to 11.12.0 or later.
    Publish Operation Compilation

    Fix Details:
    When upgrading an environment using an Oracle database to Platform Server 11.12.0 or later, the System Components installation failed with an HTTP NotFound error. After that, when trying to open the Service Center console, you would get ORA-00903 and ORA-00936 errors. Any use of expand inline parameters in SQL nodes would result in application errors. This issue only happened in some specific scenarios.

    RPM-1125
    Fixed an issue that could cause modules to have outdated dependencies after a Platform Server upgrade.
    Service Studio References

    Fix Details:
    After upgrading from a Platform Server version prior to 11.10.0 to Platform Server 11.10.0 or later, performing the Apply Settings operation before republishing the applications would cause modules with renamed or deleted Site Properties to be outdated. This issue could cause the application to be unavailable.

    RPM-1177
    The Roles screen of the Users application is now correctly listing only the end users having that role.
    Application Lifecycle Users

    Fix Details:
    In the Users application, when selecting a specific Role to see its details, you should see the list of end-users with that role. Instead, the screen listed all end-users in the environment.

    RPM-1190
    Fixed an issue that could cause incorrect code generation for SQL nodes with expand inline parameters in SQL Server databases, after upgrading the Platform Server component to 11.12.0 or later.
    Publish Operation Compilation

    Fix Details:
    When upgrading an environment using a SQL Server database to Platform Server 11.12.0 or later, the System Components installation failed with an HTTP InternalServerError. After that, when trying to open the Service Center console, you would get query execution errors. Any use of expand inline parameters in SQL nodes would result in application errors. This issue only happened in some specific scenarios.

    RPM-1198
    Fixed an error when publishing the System Components solution during the upgrade to Platform Server 11.12.0 or later caused by producer modules not being prepared.
    Infrastructure Management Platform Configuration

    Fix Details:
    When upgrading the Platform Server component to version 11.12.0 or later, publishing the System Components fails with the error "Old Producer: Producer module 'EnterpriseManager' hasn't been prepared for the the current OutSystems environment version". This error occurred only while upgrading environments that were originally created with very early Platform Server versions, having the effective User Provider of the Users module set to the Enterprise Manager deprecated module. As the Enterprise Manager module is not included in the solution anymore, the publishing failed.

    RPM-1260
    Fixed an issue that prevented Timers, Emails, and Processes from running after changing the name of the Server.
    Application Runtime Processes

    Fix Details:
    When changing the name of a registered front-end Server, a new Server record is automatically registered in the Service Center console after restarting the OutSystems Deployment service. This operation was lacking the update of the Timers, Processes, and Emails executed by that Server to reference the new record. This issue has been solved, and all references are now updated to match the new Server record when the Server name changes.

    RPM-1272
    Fixed the "Unable to find the specified file" error when publishing the System Components solution during a Platform Server upgrade.
    Publish Operation Compilation

    Fix Details:
    When publishing the System Components solution during a Platform Server upgrade, the following error is thrown for each module of the solution: "An error occurred in task 'Building Oml with Empty Proxies for espace [module_name]': Unable to find the specified file". This issue would happen because the user associated with the OutSystems Deployment Controller service lacked the permissions to create symbolic links.

    RPM-1296
    Fixed an issue that could cause a timeout when publishing the Service Center component through the Configuration Tool using an Oracle database.
    Publish Operation Compilation

    Fix Details:
    For some specific Oracle versions, the database engine is not choosing the most efficient plan to execute a specific query that runs during the compilation phase when using the default IntrospectionMethod key value defined in the Server.hsconf file. This was causing a timeout when publishing the Service Center component through the Configuration Tool.

    RPM-1325
    Fixed an error when publishing the Service Center component during a Platform Server installation or upgrade using an Oracle database. This error occurred only when the user OSADMIN had no permissions to execute the DBMS_RANDOM Oracle package.
    Infrastructure Management Platform Configuration

    Fix Details:
    While installing or upgrading the Platform Server in environments using an Oracle database, the publishing of the Service Center component failed with a "Could not create foreign key constraint." error. The issue only occurred in environments where the DBMS_RANDOM Oracle package was removed from the Public user group, resulting in the lack of permissions for the user OSADMIN to execute that package.

    RPM-1374
    Fixed the "Error getting publication state" error when publishing the System Components solution during a Platform Server upgrade.
    Infrastructure Management Platform Configuration

    Fix Details:
    When upgrading the Platform Server component, publishing the System Components failed with the error "Error getting publication state". This was an issue when the Configuration Tool retrieves information from the Server.API and it's now fixed.

    RPM-1420
    Fixed application deployment issues when Dynatrace was enabled in the environment.
    Publish Operation Deployment stage

    Fix Details:
    The Dynatrace tool injects customized code in some platform internal files, causing the OutSystems Deployment service to fail the integrity check after publishing a module. Having this tool enabled prompted the OutSystems Deployment service into error state and application deployments to fail with the error "Deployment failed: Ping validation failed".

    RPM-1421
    Fixed an issue that led to 404 Traditional Web app screens using an SEO Page Rule that started with "rest".
    Application Runtime SEO Friendly URLs

    Fix Details:
    The issue led to a 404 when accessing screens that used an SEO Page Rule. This issue occurred when using Platform Server version 11.12.1 or later and affected Traditional Web app screens using SEO Page Rule with a URL Pattern that started with "rest".

    RPM-1456
    Updated the installation checklist instructions for integration with IBM Db2 databases.
    Infrastructure Management Platform Installation Checklist

    Fix Details:
    In environments with integration with IBM Db2 databases, attempting to access the Db2 database after installing the Platform Server resulted in the error “The ConnectionString property is invalid“, with error stack “Unable to load DLL ‘cwbdc.dll’". This happens because IBM i Access for Windows has been replaced by IBM iAccess Client Solutions (ACS), therefore the required file "cwbdc.dll" is not installed anymore when following the previous installation checklist instructions. The checklist was updated to provide the correct instructions for integration with IBM Db2 databases.

    RPM-1522
    Fixed the error "ORA-01489: result of string concatenation is too long" when publishing a module with an Action which description exceeds 4000 bytes. This issue occurred only in Oracle databases.
    Publish Operation Compilation

    Fix Details:
    Starting from Platform Server 11.0.422.0, the Action's description is saved in the database with a limit of 2000 characters, which represents a maximum of 4000 bytes in Oracle databases. This issue occurred when the description of an Action had less than 2000 characters, but more than 4000 bytes, which can happen, for example, for Japanese characters. In this scenario, publishing the module resulted in the error "ORA-01489: result of string concatenation is too long".

    RPM-1526
    Fixed an issue that caused third-party components that used click events to not work as expected in PWA Mobile apps.
    Application Runtime Interface

    Fix Details:
    The issue caused third-party components that used click events to not work as expected. This occurred in Mobile apps distributed as PWAs. The issue no longer occurs after the removal of the FastClick.js from Mobile apps.

    RPM-1561
    The Configuration Tool no longer proceeds with the Apply and Exit operation if the Platform Administrator password is empty.
    Infrastructure Management Platform Configuration

    Fix Details:
    In environments using Windows Authentication, when you open the Configuration Tool the passwords are empty, which is the expected behavior. However, when clicking the Apply and Exit button, the Configuration Tool would execute the apply operation and attempt to connect with the database. In some cases, the failed login attempt to the database could lock the account.

    RPM-1575
    Fixed the Test Connection validation in the Configuration Tool when using Windows Authentication.
    Infrastructure Management Platform Configuration

    Fix Details:
    In environments using Windows Authentication, using the Test Connection returned a successful result when using an incorrect password.

    RPM-1584
    Fixed a broken access control vulnerability in some buttons of Service Center. CVSSv3.0 score 5.4 (Medium).
    Application Lifecycle Service Center

    Fix Details:
    In the tenant details of a module, the Timers tab was not properly validating the user permissions. It could allow an IT user to run timers without the proper permissions. The permissions are now properly validated.

    RPM-1608
    The Platform Server installer no longer installs .Net Core 2.1.
    Infrastructure Management Platform Configuration

    Fix Details:
    As of Platform Server 11.12.2, .NET Core 3.1 Runtime & Hosting Bundle for Windows is part of the system requirements, replacing the previously used .NET Core 2.1, which is no longer supported. However, the installer of Platform Server 11.13.0 or later installed both versions. Removing the .NET Core 2.1 from the environment after the Platform Server installation would cause some OutSystems services to fail.

    RPM-1623
    Fixed an issue that cause Reactive Web Apps to show a blank screen when opening them through a URL with a hash (#).
    Application Runtime Mobile Application Update

    Fix Details:
    The issue caused screens to show a blank screen when the screen URL included a hash (#). This occurred in Reactive Web apps in environments with the SEO-friendly URLs for Reactive Web Apps technical preview enabled.

    RPM-1644
    Fixed the "c is not a function" runtime error occurring on some occasions for Reactive Web Apps and Mobile Apps distributed as a PWA after a Platform Server upgrade.
    Publish Operation

    Fix Details:
    After upgrading from a Platform Server version prior to 11.12.0 to Platform Server 11.12.0 or later, the runtime error "c is not a function" would sometimes occur for Reactive Web Apps and Mobile Apps distributed as a PWA. This issue was related to the Modified Date of the Client Runtime resources, which is set by the npm package manager with the same pre-defined date for any client runtime bundle. This was preventing IIS to detect the need to update the cache, serving old client runtime bundles instead.

    RPM-1677
    Changes to REST APIs or SOAP Web Services settings executed via Service Center on the module's Integrations tab are now recorded in the General Log.
    Application Lifecycle Service Center

    Fix Details:
    There was no logging information in the General Logs when changing the settings of REST APIs or SOAP Web Services via Service Center on the module's Integrations tab. This issue had a low impact on OutSystems Sentry environments, as they include compliant level auditing on request.

    RPM-1684
    Link widgets that match the current screen are now correctly added the "active" CSS class.
    Application Runtime Interface

    Fix Details:
    In Reactive Web and Mobile apps, Link widgets that pointed to the current screen weren't set with the "active" CSS class. For example, this meant that a link in the menu that pointed to the current screen wasn't highlighted. This issue occurred in environments using Platform Server version 11.12.0 or higher.

    RPM-1804
    Fixed a security issue that could allow users to view Application details in Service Center to which they don't have permissions. Only affects environments not connected to LifeTime. CVSSv3.1 score 4.3 (Medium)
    Application Lifecycle Service Center

    Fix Details:
    *Symptoms* *How to reproduce*

    RPM-1917
    Removed the service account that was causing errors during publication of System Components in environments with Active Directory authentication configured.
    Infrastructure Management Platform Configuration

    Fix Details:
    The process of installation of System Components fails with HTTP error code 400 due to a misconfiguration of the ConfigurationTool_OperationsSA system account

    RPM-1923
    Fixed several missing logs in Service Center (e.g. Error and General logs).
    Application Lifecycle Service Center

    Fix Details:
    On new Oracle installations with 11.14.0.33133 have no logs available in Service Center screens. On upgraded platform versions the log rotations will not work correctly, so only old weeks will be available once the logs rotate. Request event log tables are not affected by this issue.

    RPM-2022
    Fixed issues that occurred when clicking "Apply and Exit" in the Configuration Tool after changing database configurations.
    Infrastructure Management Platform Configuration

    Fix Details:
    *Symptoms* When changing database configuration is Configuration Tool and clicking ‘Apply and Exit’, this results in database or connection string errors. The error stack trace mentions get_NodeAwareSettingInConfigFilesFT() and PlatformSettings.isServiceConfigSetting. *How to reproduce* * Change the password of the OutSystems users. It should be enough to change the Administrator and Runtime user passwords. * Open Configuration Tool, update the password fields with the newly defined passwords and click ‘Apply and Exit’ Configuration Tool should use the new credentials and run without errors, but instead an error similar to mentioned above will be returned.

    RPM-447
    Fixed multiple cross-site scripting (XSS) vulnerabilities in Popup_Editor, Popup_EditorForUpload, or Popup_EditorVanilla titles. CVSSv3.1 score 3.1 (Low)
    Application Runtime System Components

    Fix Details:
    The titles of the widgets Popup_Editor, Popup_EditorForUpload, and Popup_EditorVanilla were not encoded by default, making them vulnerable to cross-site scripting attacks. The Title property is now encoded however, this may introduce a breaking change. Find more information about this breaking change here.

    RPM-478
    Fixed an issue that caused Entity_DropTable and Attribute_DropColumn actions of DbCleaner API to throw an ORA-00942 error when dropping entities or attributes in modules created in Oracle database schemas other than the main one.
    Application Runtime System Components

    Fix Details:
    Fixed an issue that caused an ORA-00942 error to show after dropping entities or attributes using DbCleaner API. This occurred when using an Oracle platform database and after using Entity_DropTable and Attribute_DropColumn actions with modules created in schemas other than the (Main) schema. Even after the ORA-00942 error, the entities or attributes were dropped. Now, the error is not shown after successfully dropping the entities or attributes.

    RPM-542
    Now, it's not possible to delete the active External Authentication Provider plugin.
    Application Lifecycle LifeTime

    Fix Details:
    Fixed an issue that prevented IT users from logging in environments or infrastructures while using a custom External Authentication Provider plugin. This occurred after deleting the active Authentication Provider plugin, and prevented the activation of the OutSystems Built-In Authentication in LifeTime. Now, it's not possible to delete the active External Authentication Provider plugin.

    RPM-546
    Fixed an issue that caused timeout when accessing the solution publish screen when the publish report has a very high number of messages.
    Application Lifecycle Service Center

    Fix Details:
    The issue prevented publishing a solution, due to a timeout in the solution publish screen that made it impossible to select 'Continue' button to proceed with the publish. This issue occurred when publishing large solutions.

    RPM-593
    Fixed the error message returned when publishing a module after trying to modify the length of a Text Id attribute of an Entity.
    Publish Operation Compilation

    Fix Details:
    The attempt of modifying the length of an Entity's Id attribute with Text data type can result in errors due to limitations on the database engine side. In those scenarios, the error message returned by the platform when publishing the module could be misleading and sometimes incorrect.

    RPM-714
    Fixed an issue blocking the external authentication of IT users using then AD authentication provider when using multiple deployment zones and not having the System Components deployed in the Default zone. Improved also the error message shown in this scenario.
    Application Lifecycle Users

    Fix Details:
    In an environment with multiple deployment zones where the System Components are not deployed in the Default zone, activating the AD authentication provider (ADAuthProvider) would result in the following error: "Test failed: Module must be available for all front ends (in global zone)". This issue prevented the activation of AD authentication for IT users. Also, the error message was misleading.

    RPM-741
    As a security improvement, extensions are no longer automatically recompiled on upgrade.
    Infrastructure Management Application Server

    Fix Details:
    Compilation during extension upgrades allows arbitrary code to be executed remotely in the server. This vulnerability has been classified as Critical with a cvss score of 9.1

    RPM-747
    Fixed a security vulnerability on an internal Service Center API permission requirement. CVSSv3.1 score 6.3 (Medium).
    Application Lifecycle Service Center

    Fix Details:
    Service Center APIs used by Service Studio to create and delete apps would allow deleting system modules when they shouldn't. Deleting system modules can impact a running environment, ultimately causing misbehaviors or unavailability. The internal APIs were hardened and no longer allow deleting system modules.

    RPM-754
    Fixed an issue that prevented DbCleaner API to delete attributes of multitenant database views.
    Application Runtime Public APIs

    Fix Details:
    Using the Attribute_DropColumn of DbCleaner API to delete an attribute of a multitenant entity would return the error: "Error executing query. View or function has more column names specified". The DbCleaner API now properly deletes the attribute.

    RPM-768
    The actions Entity_DropTable and Attribute_DropColumn from DbCleaner API now have a success output indicating if the drop operation was performed or not.
    Application Runtime System Components

    Fix Details:
    In the scenario of active columns and entities, the actions Entity_DropTable and Attribute_DropColumn from DbCleaner API don't perform the drop operation. However, no feedback was being returned about the effectiveness of the operation.

    RPM-939
    Fixed an issue that was causing Service Center to throw an error when exporting to excel the Screen Requests logs filtered by Application.
    Application Lifecycle Service Center

    Fix Details:
    When trying to Export to excel the Screen Requests logs from the Service Center, if the logs were filtered by any Application, the following error would be thrown: "There was an error while exporting data. Redefine log filters to retrieve less data and try again."

    RPM-945
    Fixed an issue that could cause modules to have outdated dependencies after a Platform Server upgrade.
    Application Runtime Data Access and Manipulation

    Fix Details:
    After upgrading from a Platform Server version prior to 11.10.0 to Platform Server 11.10.0 or later, performing the Apply Settings operation before republishing the applications would cause modules with renamed or deleted Site Properties to be outdated. This issue could cause the application to be unavailable.

    RPM-952
    Fixed an issue that occurred in Reactive Web apps and that prevented clearing an invalid value from a Text, Phone, or Email variable.
    Application Runtime Interface

    Fix Details:
    The issue prevented clearing the value of a Text, Phone, or Email variable in Reactive Web apps. This occurred if the value was invalid with Form.Valid runtime property set to False.

    RPM-966
    Fixed a security issue that could lead to session fixation problems. CVSSv3.1 score 5.4 (Medium).
    Application Runtime Authentication and Authorization

    Fix Details:
    In certain situations there is session fixation validations made on recent logins.

    RPM-977
    Fixed the warning "Resource Not Versioned" when deploying Reactive Web Apps.
    Publish Operation Deployment stage

    Fix Details:
    When deploying Reactive Web Apps, the staging report included the following warning for some Reactive Web modules: "Resource Not Versioned: The resource [resource_file] of the producer module [module_name] was not found in the application cache. Please republish [module_name] to prevent runtime errors". This issue had no impact on the running applications.

    Silk UI Framework Simulation Device
    Resize the window to preview the page in target devices.
    Open the settings to change the simulation device options.