Platform Server - 11.14.1

Published on 2022-02-23 19:37:21
File
PlatformServer-11.14.1 (Build 34445).exe
Size
260.02 MB

Assets
Installation Checklist EN
InstallationChecklist-EN-11.14.1.34445.html
 MB
Installation Checklist JP
InstallationChecklist-JP-11.14.1.34445.html
 MB
Information

Compatibility
  • Compatible with Development Environment 11, versions 11.0.109.0 or later.
  • Can be managed by LifeTime 11, Release Sep.2019 or later
Additional Resources For further information on any issues, use the Support Portal.

NOTICE: OutSystems does not give support to any undesirable behavior you may experience due to the use or manipulation of undocumented components of the OutSystems platform, such as, internal JavaScript, RuntimePlatform library, database system meta-model, components in installation directories, etc.
Release Notes

New in Platform Server 11.14.1

Bug Fixing

Known Issues

  • This Platform Server version introduces an issue where factories with more than 1000 application permissions have their IT users losing permissions over the applications of an environment. This issue was introduced with Platform Server 11.14.0 and has been mitigated in Platform Server 11.16.0.

More details

RPM-1184
Fixed an error when publishing a module in Service Studio caused by a DLL file being locked by another process.
Publish Operation Compilation

Fix Details:
Publishing a module in Service Studio failed with the error "Internal Error: Cannot delete the file ''. Please check if a third-party program is using it and try again". Republishing the module would overcome the issue.

RPM-1240
Removed the "Republish all modules" step from the Installation Checklist for Oracle configuration.
Infrastructure Management Platform Installation Checklist

Fix Details:
The Installation Checklist of Platform Server 11.13.2 or later still included the step "Republish all modules" for Oracle configuration, although that step is not required anymore.

RPM-1263
Fixed an issue that prevented editing entity data in Service Studio when the module is published in a catalog different from the main catalog.
Service Studio Data Access and Manipulation

Fix Details:
For modules published in a catalog different from the main catalog, editing the entity data in Service Studio using the "View or Edit Data" option failed with the error "Invalid object name ''" for SQL Server or "ORA-00942 - Table or View does not exist" for Oracle databases.

RPM-1309
Fixed an issue allowing to update non-editable fields in an Editable Table widget when saving the record with an open Data Picker. Applies to Traditional Web Apps.
Application Runtime Interface

Fix Details:
This issue occurs in Traditional Web Apps when using an Editable Table widget with the Date Picker UI Pattern. If the Date Picker is open when saving a new or updated record, the non-editable fields of that record become editable. It only happens for the specific record that was updated with the Date Picker open. Updating the record again with the Date Picker closed makes the field non-editable again.

RPM-1398
The default value of the session timeout for Reactive Web Apps now matches the default value of the session timeout for Traditional Web Apps (20m).
Application Runtime Authentication and Authorization

Fix Details:
When Single Sign-On Between App Types is enabled in Service Center, having different session timeout values for Traditional Web and Reactive Web applications can lead to a redirect loop during the authentication flow, preventing end-users to use the applications.

RPM-1440
Fixed the error "ORA-00911: invalid character" occurring in the Configuration Tool when clicking "Create/Upgrade Database" for the platform or logging database. This error applies to Oracle installations in farm configuration.
Infrastructure Management Platform Configuration

Fix Details:
In Oracle installations, clicking the "Create/Upgrade Database" button in the Platform tab or in the Log tab would cause the error "ORA-00911: invalid character". This scenario occurred in installations with farm configuration.

RPM-1469
Fixed an issue causing the System Components installation to fail during upgrades in farm installations with a pure Deployment Controller setup.
Infrastructure Management Platform Installer

Fix Details:
This issue occurs when upgrading the Platform Server in farm installations having a pure Deployment Controller setup - only the Deployment Controller Service is enabled in the machine. In this scenario, the installation of the System Components through the Configuration Tool fails with the following message: "There was an error while contacting the server. HTTP not found".

RPM-1515
Fixed a configuration in Factory Configuration that could lead to DoS attacks. CVSSv3.1 score 5.3 (Medium).
Infrastructure Management Application Server

Fix Details:
*Symptoms* A malicious user can send HTTP requests for a resource inside a server using a property of the request's header called "Range." This "Range" property allows selecting a different number of byte ranges from the resource that is being requested. So a single request can recover the entire content of the resource a hundred times, enforcing a response with a considerable amount of data growing geometrically for every range requested. With a sufficient number of requests with many "Ranges," it is possible to coordinate a Denial of Service Attack. *How to reproduce* Steps to replicate / Proof of Concept Create an application in an OutSystems environment Open a browser (Firefox, for instance) and open the inspector/Developer Tools Turn off caching in the inspector/Developer Tools Click on the Network tab in the inspector and access the login page of the app (no need to log in) Find a successful request in the network activity, manipulate the request, and resend it. In Firefox, right-click the request > Edit and Resend > add the Range header with the values seen in the screenshot above > click send If you compare the responses, you will notice the response to the request containing the Range header will have a larger size proportionate to the number of "0-" added to the Range header on the request: There is also a video capture inside the https://outsystemsrd.atlassian.net/browse/VUL-232 explaining how to reproduce the problem using the firefox browser. but

RPM-1634
Fixed an error causing the Platform Server installation or upgrade to fail in environments with customized IIS Site Bindings.
Infrastructure Management Platform Installer

Fix Details:
When installing or upgrading the Platform Server component in an environment having customized IIS Site Bindings, the installer hangs in the last step, "Starting Microsoft Internet Information Services", and has to be terminated manually.

RPM-1675
SAML authentication is now more resilient to session variables issues during the logout operation.
Application Lifecycle Users

Fix Details:
When doing a logout operation, the end user sometimes is redirected to the IIS default page (for self-managed environments) or to Service Center (for OutSystems Cloud). The issue occurs because the value of the session cookie storing the destination URL after logout is lost. It happens intermittently and there is no service loss. Some browsers seem more susceptible to the occurrence.

RPM-1696
Fixed an XSS issue in the Label widget for Traditional Web Apps. CVSSv3.0 score 5.9 (Medium).
Application Runtime Interface

Fix Details:
In Traditional Web Apps, the Label widget was not escaped by default. This could lead to XSS code injection when using the widget with an expression.

RPM-1781
Fixed a security vulnerability preventing non-body parameters of a consumed REST API to be redacted. CVSSv3.1 score 4.9 (Medium).
Application Runtime Logic Execution

Fix Details:
This issue caused the redaction of non-body parameters of a consumed REST API not to be applied when the Logging Level was set to Full or Troubleshoot.

RPM-1798
Fixed an issue that could cause a native app to receive the application manifest for the browser version and vice-versa.
Application Runtime

Fix Details:
The app is trying to fetch the .IDB.js files even when is running in a native shell. This means that the app is receiving the wrong manifest.

RPM-1890
Fixed a memory leak occurring on each first request that is done on a module.
Application Runtime

Fix Details:
In environments running Platform Server 11.9.0 or later, the resources associated with the first request that loads a module in IIS are never released, adding extra constant memory overhead associated with each module loaded. The memory leak can be observed using debugger tools for Microsoft Windows, such as WinDbg.

RPM-1896
Fixed an issue when consuming a SOAP Wsdl with an inheritance pattern.
Application Runtime Logic Execution

Fix Details:
Compilation error: Sequence contains no matching element After Platform upgrade to 11.13.2

RPM-1942
Improved the performance of the LDAP actions in the Authentication extension, Authentication.xif, when using the LDAPS protocol.
Application Runtime Authentication and Authorization

Fix Details:
When using LDAP authentication, calls to LDAP actions of the Authentication.xif extension are very slow. Also, each LDAP action will cause the log message "Fallback to use user domain". This scenario occurs when using the LDAPS protocol.

RPM-1977
Improved the performance of IT users login operation using Active Directory authentication when there is a significant number of AD groups with specific configurations.
Application Runtime System Components

Fix Details:
When using Active Directory for IT users authentication, the login operation is very slow, affecting the access to the development tools, such as Service Studio. This situation can generate slow execution log entries of the Authentication.ActiveDirectory_GetAccountGroups action in the Extension logs. This happens when there is a significant number of groups in the Active Directory and the authentication configuration requires users to belong to specific AD group(s). The AD groups associated with users can now be cached, speeding up the login process.

RPM-1997
Fixed an error during a Platform Server major upgrade from version 10 to version 11.13.2 or 11.14.0 occurring in the preparation step of System Components dependencies.
Platform Installation

Fix Details:
When executing a major Platform Server upgrade from version 10 to version 11.13.2 or 11.14.0, the preparation step of System Components dependencies, running in the Configuration Tool, failed with the error "Value cannot be null". This issue prevents the upgrade operation to the indicated versions.

RPM-2006
Fixed performance degradation when running the platform database in some Azure configurations.
Application Runtime Data Access and Manipulation

Fix Details:
Self-managed environments with SQL Server platform database being hosted as an Azure Managed Instance would experience significant performance degradation on database access when running Platform Server 11.12.2 or later.

RPM-670
Fixed an issue causing the Server.Identity service to timeout when getting refresh tokens from the database in Oracle.
Application Runtime Authentication and Authorization

Fix Details:
In Oracle environments, IT users are not able to login in OutSystems tools, such as the Workflow Builder, Experience Builder, or Service Center. The issue is caused by a timeout of the Server.Identity service when the OSSYS_REFRESH_TOKENS database table has hundreds of thousands of records, preventing this service to provide a new access token to the tools.