LifeTime Management Console - 11.8.3

Published on 2021-03-03 16:04:14
Windows
File
LifeTimeWithPlatformServer-11.8.3 (Build 1010).exe
Size
314.13 MB

Assets
Installation Checklist
InstallationChecklist-EN-11.8.3.1010.html
165.29 KB
Swagger for LifeTime API
lifetimeapi-11.8.3.1010.json
124.03 KB
Information

Compatibility
Can manage environments with:
  • Platform Server 10, versions 10.0.105.0 or later.
  • Platform Server 11, release Sep.2018 or later.
Additional Resources For further information on any issues, use the Support Portal.

NOTICE: OutSystems does not give support to any undesirable behavior you may experience due to the use or manipulation of undocumented components of the OutSystems platform, such as, internal JavaScript, RuntimePlatform library, database system meta-model, components in installation directories, etc.
Release Notes

New in LifeTime Management Console 11.8.3

  • Improved the messages returned if some error occurs when using LifeTime self-service VPN connection to OutSystems Cloud. (RCFT-5073)
  • Lifetime now enforces secure (HTTPS) connections with the managed environments. This will not be applied to infrastructures that already have registered environments using HTTP. (RLIT-3539)

Bug Fixing

  • Fixed a missing warning during the environment registration, when the environment being registered is already registered in another LifeTime. (RLIT-4312)
  • Fixed an issue that caused duplicated roles to be displayed in the environment registration screen. (RLIT-4313)
  • Fixed an issue that caused Team's unique key (GUID) to be lost when editing a Team in LifeTime user interface. (RLIT-4426)
  • Fixed an issue that caused LifeTime Analytics to start processing indefinitely when there are invalid events being collected from the monitored environments. (RLIT-4435)
  • Fixed an issue in LifeTime Analytics that caused request events generated by non Traditional applications to be invalid. (RLIT-4439)
  • Improved the environment registration process for cloud infrastructures. (RPD-4820)
  • Platform users no longer impact the user pool. (RPM-597)
  • Fixed an issue in POST /users of LlifeTime API v2 where the incorrect error code was returned. CVSSv3.1 score 4.3 (Medium). (RPM-684)
  • Fixed restrictions on LifeTime for unprivileged users. CVSSv3.1 score 4.3 (Medium). (RPM-707)
  • Fixed a security issue that could allow a brute force attack while changing passwords. CVSSv3.1 score 2.8 (Low). (RPM-727)
  • More details

    RPM-597
    Platform users no longer impact the user pool.
    Application Lifecycle LifeTime

    Fix Details:
    *Symptoms* The customer when trying to register an environment on LifeTime gets the following error message: "Your license doesn't allow any more production environments. Please contact OutSystems Support" *How to reproduce* Try to register a new environment on LifeTime with the environment already registered on the Licensing portal.

    RPM-684
    Fixed an issue in POST /users of LlifeTime API v2 where the incorrect error code was returned. CVSSv3.1 score 4.3 (Medium).
    Application Lifecycle LifeTime

    Fix Details:
    *Symptoms* It is possible to enumerate the users of an infrastructure via different reply messages from Lifetime API with access only permissions. This vulnerability was classified as Medium with a risk score of 4.3 *How to reproduce* Pre-requirements: Have a service account with access only permissions 1. Make a request to the users api to create a new user with a username that already exists 2. Check that the reply will contain the message: Failed to create user ' ' because A user with username '{username}' already exists and the status code 400 3. Make a request to create a user with a username that does not exists 4. Note that the reply message will be: Failed to change user password because user has insufficient permissions. and status code 403 *Findings* Check the pictures in annex to this issue *Impact* List users present on the infrastructure *Reoccurrence Likelihood* Not likely.

    RPM-707
    Fixed restrictions on LifeTime for unprivileged users. CVSSv3.1 score 4.3 (Medium).
    Application Lifecycle LifeTime

    Fix Details:
    Lifetime is not properly validating user permissions and is allowing access to information that is not meant to be presented to users with low privileges. This as been classified as a vulnerability with a Medium severity and base score of 4.3.

    RPM-727
    Fixed a security issue that could allow a brute force attack while changing passwords. CVSSv3.1 score 2.8 (Low).
    Application Lifecycle LifeTime

    Fix Details:
    *Symptoms* The functionality of a user changing his own password does not limit the number of tries for the current password. If an attacker is able to compromise a session, he will have unlimited tries to discover the user password. This vulnerability was classified as Low with a cvss score of 2.8.