Monthly Release Notes - August 2020

Jump to:

Automate

Automate Desktop and Automate Plus/Ultimate

Version 11.4.0

Aug 25, 2020

New Features
  • HTTP Action Enhancements
    • Automate Desktop and Automate Plus/Ultimate.
    • Added the ability to create predefined HTTP connections using the new HTTP (Define) activity. Users can define HTTP connection and authentication information in a single place and then reuse it through a task in various HTTP steps.
    • Added support for additional authentication means (OATH 2.0, Bearer Token, API Key).
    • Corrected numerous issues involving JSON decoding.
  • PDF Action Enhancements
    • Automate Desktop and Automate Plus/Ultimate.
    • Added new annotation management activities (Add annotation, Delete annotation(s), and List annotation(s)).
    • Added the ability to insert an image as a new page in a PDF in the PDF (Insert) activity
    • Corrected numerous issues with the PDF action.
  • Secure Variables
    • Automate Desktop and Automate Plus/Ultimate.
    • The Variable (Create) activity now provides the option to secure a variable which will encrypt the value of a variable while editing a task.
    • Secured variables value will still be viewable in plaintext during runtime execution.
  • Credentials
    • Automate Plus/Ultimate only.
    • Added Credentials as a system object.
    • Main Credentials page has access permissions for users.
    • Credentials can be viewed/edited by a group of users, while also being used in tasks by another group of users.
    • The value of a credential is never viewable in a task, either at design-time or run-time.
    • Only select fields can make use of credentials (for now, only password and passphrase fields are supported in certain activities).
    • Unauthorized use of a credential is monitored, and such references are removed from tasks automatically.
  • New Machine Learning Action
    • Automate Plus/Ultimate only.
    • Adds the ability to pass Automate variables, arrays, datasets, and expressions into a trained ML.NET model for processing.
    • Adds the ability to use the results of an executed trained ML.net model inside of Automate Plus/Ultimate.
  • Enhancement to Running Tasks and Workflows Using API
    • Automate Plus/Ultimate only.
    • Added a list of variable name/value pairs that can be optionally passed to the run commands for Tasks and Workflows.
  • New Swagger API Documentation
    • Automate Plus/Ultimate only.
    • New modern layout makes documentation easier to read and navigate.
    • Self-documenting by the way of code markup.
Enhancements
  • Automate Desktop and Automate Plus/Ultimate have been updated to install and use .NET Framework 4.8.
    NOTE: For a list of Windows versions that are compatible with .NET Framework 4.8, see .NET Framework System Requirements.
  • The PDF (Get attachment(s)) activity now provides the option to overwrite existing file attachments with the same name or individually save them with unique file names.
  • The PDF (Extract) activity now provides the option to extract contents into a single, multi-page TIFF file.
  • The PDF (Create) activity now provides the option to change page orientation.
  • Task Builder now provides the option to save to disk if the connection to the data store is unavailable.
  • Existing users can now be renamed in the Server Management Console.
  • The SharePoint (Upload file(s)) activity now provides the option to set metatags while uploading files and retrieve uploaded file IDs.
  • Applying changes after editing a constant no longer returns the cursor to the top of the list.
  • The FTP (Logon) activity now supports an SSL/TLS (implicit) connection with TLS 1.0 disabled and TLS 1.1 and 1.2 enabled.
  • The FTP (Upload file(s)) activity now provides the option to use multi-threaded uploads.
  • Constant Values can now be assigned while creating a Task Variable.
  • The File System (Dataset to CSV) activity now supports enclosing dataset cell values in double quotes (") in CSV files.
  • A task's instance ID or transaction ID can now be obtained using the new GetWorkflowInstanceID and GetTransactionID Extended Functions.
  • The AMCurrentWorkflow and AMCurrentTask datasets now contain StartTime and StartDate parameters.
  • The Email (Send Message) activity can now create a dataset to capture information regarding each email sent.
  • The Dialog (Open File) activity now provides improved file and folder browsing navigation.
  • Changing the Data Store credentials in the Server Management Console no longer clears the database instance and now informs the user to restart Automate Enterprise 11 services for the changes to take effect.
  • The Event Viewer logs now include entries for successful and unsuccessful Email Trigger connections.
  • The BASIC Script (Execute) activity's Embedded text box has been increased in size.
Other Fixes
  • The Exchange (Get object(s)) activity now filters file attachments correctly.
  • The PDF (Extract) activity now extracts TIFF files correctly.
  • The PDF (Set field(s)) activity now populates a field if a variable contains a comma.
  • The PDF (Split) activity will no longer throw an error while splitting PDF files containing images that are not centered.
  • Adding a Note to an Agent no longer causes the Server Management Console to crash.
  • Inspecting a dataset created by the HTTP (Get) activity now occurs instantly.
  • Variable values are now populated correctly in the Text (Get substring) activity .
  • The JSON (Decode) activity now creates the correct number of structures.
  • The JSON (Decode) activity now decodes strings containing percentage characters (%) correctly.
  • Task runtime priorities are now passed to the agent correctly.
  • The GetAgentName() Extended Function now displays the correct agent name when run simultaneously by the way of an agent group.
  • The Excel (Close workbook) activity now closes the excel.exe process correctly.
  • The Mail To Recipient (As Attachment) and Mail All To Recipients (As Attachment) options under the Task Builder's File > Send menu are now working correctly.
  • The Dataset (Create) activity no longer throws an error when a dataset name contains an expression.
  • Focus now correctly returns to the Task Builder while using the Locate HTML elements selector with the Web Browser action.
  • Automate Desktop installations no longer fail on non-English based systems.
  • The XML (Save) activity no longer adds an extra space and carriage return to blank XML fields.
  • Populating a dataset with a column name that contains quotation marks no longer throws an error.
  • The Web Browser (Legacy) (Get value) activity can now retrieve a Checked value for Internet Explorer check boxes.
  • The Web Browser action can now run and update Chrome on machines where only a remote agent is installed.
  • The Web Browser action no longer resizes open browser windows while the Locate HTML elements selector is being used.
  • The Web Browser action now supports creating sessions on the latest Chrome and Firefox dialog boxes.
  • The Web Browser action no longer disables Chrome extensions.
  • The Web Browser (Open) activity now provides the option to load existing user profiles for Chrome and Firefox browsers.
  • An encoding problem with sending double-byte characters to and from an agent on non-English based systems has been corrected.
  • Corrected a date formatting issue that was preventing Email Trigger from working on non-English cultural settings.
  • Right-clicking on an Agent in the Server Management Console and selecting Go to > SMTP now properly opens the Email properties screen
  • Corrected a typo in the Audit Events table of the Server Management Console.
  • Corrected a typo in a Task Builder dialog box.
  • Corrected a typo in the Image (Image recognition) activity.
  • Task Priority settings are now correctly saved in the Task Administrator.
  • A sorting issue related to JSON decoding has been corrected.
  • The JSON (Decode) activity now decodes strings containing a space in the object key correctly.
  • The following corrections were applied to the Speech (Speak text) activity:
    • All languages that provide text-to-speech capabilities are now supported.
    • The "Display voices in all languages" parameter now stays selected when saved.
    • The "Do not speak the text out loud" parameter no longer lowers the volume to 0 when selected.
    • Task Builder no longer crashes if the play button is clicked twice, but the voice has not changed and is still set to Default.

Back to Top

 

Core Security


Core Impact

Version: 19.1.13 and 20.1.1

Aug 31, 2020

v20.1.1

Enhancements
  • New Exploits
    • Oracle Coherence T3 ExtractorComparator Deserialization Vulnerability Remote Code Execution Exploit: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2883)

    • Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. (CVE-2020-14645)

    • MSI Ambient Link Local Privilege Escalation Exploit: Multiple stack buffer overflows were found in the MSI AmbientLink MsIo64 driver when processing IoControlCode (IOCTL) 0x80102040, 0x80102044, 0x80102050, 0x80102054. Local attackers, including low integrity processes, can exploit these vulnerabilities and consequently gain NT AUTHORITY\SYSTEM privileges. (CVE-2020-17382)

Other Fixes
  • Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit Update: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. This update adds xml tags to prevent pivoting. (CVE-2020-14645)
  • Exploit Modules Maintenance: This update includes small metadata improvements for some exploit modules.
  • RPT module output performance enhancements: Performance enhacements for the RPT modules output.
  • ETW Bypass Implementation for Exploits: This update implements a new technique that disables Event Tracing for Windows (ETW), powershell commands events generated by IMPACT agents now has improved their stealthiness.

v19.1.13

Enhancements
  • New Exploits
    • Oracle Coherence T3 ExtractorComparator Deserialization Vulnerability Remote Code Execution Exploit: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. (CVE-2020-2883)

    • Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. (CVE-2020-14645)

    • MSI Ambient Link Local Privilege Escalation Exploit: Multiple stack buffer overflows were found in the MSI AmbientLink MsIo64 driver when processing IoControlCode (IOCTL) 0x80102040, 0x80102044, 0x80102050, 0x80102054. Local attackers, including low integrity processes, can exploit these vulnerabilities and consequently gain NT AUTHORITY\SYSTEM privileges. (CVE-2020-17382)

Other Fixes
  • Oracle Weblogic Server T3 UniversalExtractor JNDI injection getDatabaseMetaData Remote Code Execution Exploit Update: An unauthenticated java deserialization vulnerability via T3 protocol in Oracle Weblogic Server allows an attacker to upload and execute a java class file to gain arbitrary code execution on the affected system. This update adds xml tags to prevent pivoting. (CVE-2020-14645)
Version: 20.1

Aug 4, 2020

Enhancements
  • Common installer file. All users and distributions will download the same Core Impact installation files with a unique user license key delivered to users to enforce security controls.

  • Core Impact can now be upgraded over the top of an existing installation. For example a user with Core Impact 19.1 can upgrade to Core impact 20.1 without uninstalling or deactivating while preserving data and settings.
  • Flexible licensing. Users may activate Core Impact on up to three systems concurrently, for example a test system, virtual machine and a forward deployed jump box.

New Features
  • Web based interface allows users to optionally connect to Core Impact over HTTPS to utilize the product.

  • Users may optionally choose their own SQL Server Standard / Enterprise to contain the Core Impact data instead of the included SQL Server Express datastore.

  • New exploits packs are now available for IoT Devices, Medical Devices & Software systems and SCADA/ICS Professional version.

  • New global settings for phishing campaigns can be used across multiple exercises, additional credential forms capturing in JSON and POST formatted web pages.

  • Integrations added with support for OpenVAS, Plextrac and Tenable’s API method.

  • Added friendly reports destination folder naming.

Back to Top

 

GoAnywhere


Version 6.6.0 - Beta
New Features
  • Added a new Strict Hostname Verification option which enforces all SSL/TLS connections to a remote server to properly validate the CN or SAN/DN values of the certificate regardless of the communication protocol.

  • Added support for ECDSA host keys on the SFTP server.

  • Added options to mask and encrypt data in Secure Form text fields.

  • Added the ability to create users automatically from SAML login methods.

  • Added a new REST API for quick uploads to Secure Folders.

Enhancements
  • Improved the performance of pages that list actions on Projects, Resources and Triggers.

  • Added a Search Filter to the Scheduled Job History page.

  • Added a Search Filter to the Project Execution History page.

  • Enhanced database sequence retrieval process to be more efficient and prevent lockups under heavy load.

  • Added Encrypted Folders support to the PeSIT service and tasks.

  • Added Active Transfer support to the PeSIT service and tasks.

  • Improved auto blacklisting on PeSIT connections to terminate the connection at an earlier point.

  • Added Active Session support for PeSIT user sessions.

  • Added the ability to specify the same name on PeSIT file templates with different transfer types.

  • Enhanced message processing within a clustered system to be more efficient.

  • Enhanced cluster communication Attack Monitor processing to be more efficient.

  • Enhanced the Agent Server to support more than 3 concurrent requests at a time.

  • Updated the Create JWT Task to support additional SSH key types.

  • Added the trust store provider to JVM default trust store definition. This fixes an issue where the admin server SSL listener may fail to startup in certain configurations.

  • Created a new Dashboard Quick Link for Service Level Agreements.

  • Enhanced the dropdown component by increasing the max length of labels and values to accommodate larger values.

  • Enhanced Audit Log remarks for Admin Users authenticating with certificates.

  • Added Permission Checks to the Scheduler Job History and Project Execution History pages.

  • Added 'Allowed Values' for the Secure Forms Date component in dynamic help page.

Updates
  • Updated the forgot password email to no longer rely on the request host header value to populate links.
  • Added separate fields for error code and error description on the PeSIT audit log detail page.
  • Added PeSIT data to Dashboard Gadgets.
  • Added the option to show GoDrive transfer ownership dialog even when there is only one available owner.
  • Added AS4 Auth Type and AS4 Fingerprint to GoAnywhere Command (GACMD) Add and Update Web User actions and Web User Self Registration.
  • Added filtering of both formatted and unformatted audit log event ids.
  • Updated client X.509 certificate SAN email address validation for Common Criteria.
  • Updated the secure language cookie on the Web Client so that it is correctly handeld by the Web Client locale filter.
  • Upgraded Postgresql JDBC jar file from version 42.2.7 to 42.2.14.
  • Upgraded commons-codec from version 1.10 to 1.14.
  • Upgraded the log4j libraries from version 2.10 to 2.13.
  • Upgraded Apache Tomcat from version 7.0.100 to 7.0.105.
  • Upgraded JavaMail version from 1.4.4 to 1.6.2.
  • Upgraded jNQ SMBClient version from 1.2.5 to 1.2.6.
  • Upgraded Primefaces from version 7.0.4 to 7.0.14.
Fixes
  • Fixed an issue with the PeSIT Server and Client where sending a Free Text (PI-99) greater than 127 characters would cause a NegativeArraySizeException.
  • Fixed an issue where the PeSIT service was not showing up as selected on the View Trigger page when 'Any Service' is selected.
  • Fixed an issue with some fields on a PeSIT table in the PostgreSQL DDL.
  • Fixed an issue where PeSIT file templates were not respecting domain folder restrictions.
  • Fixed an issue where the transfer time was not accurate on PeSIT file transfers.
  • Fixed issues with file label and free text on PeSIT file transfers.
  • Fixed an issue where failed PeSIT connections were not being cleaned up on the client side on SSL handshake failure.
  • Fixed an issue where auto-created LDAP users did not have the IP Filter and Time of Day limits respected on their initial login.
  • Fixed an Issue with AS4 Pull Pmodes on a Web User where only Key-Pairs could be used as encryption keys.
  • Fixed Issue where specific AS2/AS4 fields within a web user template were not being applied to web user creation when using AddWebUser GACMD command or importing web users via CSV.
  • Fixed subject dropdown to display 'AS4 Logs' as a subject option when adding or editing an Admin User Role.
  • Fixed an issue where the file size was not getting set on PeSIT audit log data.
  • Fixed an issue that prevented the reading of some X12 documents when the ISA line contained the characters 'GS'.
  • Fixed an issue where the Read EDIFACT task was only reading the first record in certain cases.
  • Fixed a display issue on Active Sessions that would prevent the Gateway column from appearing checked when connection is routed through Gateway.
  • Fixed an issue where changing the Run Mode for a Call Project/Call Remote Project action on a Trigger did not allow user to save.
  • Fixed page heading when adding a new Admin User Role.
  • Fixed the exportWebUser API to retain the original 'Created By' and 'Modified By' fields rather than replacing them with the username of the user executing the command.
  • Fixed an issue when cancelling a repeatable job or shutting down the scheduler could throw an exception if a new repeatable job was added at the same exact time.
  • Fixed an issue with GoAnywhere Command where specifying duplicate permissions for virtual files/folders would result in incorrect permissions.
  • Fixed an issue where older versions of MFT would be unable to download EDI definitions from the Addon Marketplace after new EDI definitions were deployed.
  • Fixed an issue where exporting private keys in the PKCS12 format while in FIPS 140-2 mode caused an error. Keys are now exported as BCFKS (Bouncy Castle FIPS-Approved Key Store) keys.
  • Fixed the ‘BCSSLSocketFactoryWrapper not found’ exception that would appear in logs when starting up GoAnywhere in FIPS 140-2 mode.
  • Fixed an issue where admin users were unable to login to the admin client using client authentication in FIPS 140-2 mode.
  • Fixed an issue where importing an FTP/FTPS/SFTP monitor via GACMD would fail in certain cases.
  • Fixed an issue where importing PEM certificate files fails in FIPS 140-2 mode.
  • Fixed an issue opening the data mapper in the Read XML task.
  • Fixed an issue where GoDrive shared file Owners were able to remove themselves from a folder when they were the only owner who had access. This resulted in nobody having permission to delete the folder or manage permissions.
  • Fixed an issue where sharing a shared folder in Secure Folders was not correctly applying permissions or Share Name.
  • Fixed an issue that removed the ability to add certain components in Cloud Connectors.
  • Fixed an issue where the X12 and EDIFACT write tasks would sometimes write out the data for transaction sets out of order.
  • Fixed an issue where adding the REST Post task to a newly created Cloud Connector resulted in an error.

Back to Top

 

Powertech


BoKS Reporting Services

Version 8.0.0.2

Aug 17, 2020

This release includes updated third party components used in BoKS Reporting Services with reported vulnerabilities.

The following libraries have been updated:

• jquery (3.5.1) CVE-2020-11022, CVE-2020-11023 (see also Advisory Note AN-1016)

• spring-security-core (5.2.8) CVE-2020-5408

• spring-web (5.2.8) CVE-2016-1000027

• spring-webmvc (5.2.8) CVE-2020-5397

• hibernate (5.4.19) CVE-2019-14900

• snakeyaml (1.26) CVE-2017-18640

• dom4j (2.1.3) CVE-2020-10683

• commons-codec (1.14) WS-2019-0379

• bouncycastle (1.64) CVE-2019-17359

• Bootstrap (4.3.1) CVE-2019-8331

Version 7.2.0.3

Aug 17, 2020

This release includes updated third party components used in BoKS Reporting Services with reported vulnerabilities.

The following libraries have been updated:

• jquery (3.5.1) CVE-2020-11022, CVE-2020-11023 (see also Advisory Note AN-1016)

• spring-security-core (5.2.8) CVE-2020-5408

• spring-web (5.2.8) CVE-2016-1000027

• spring-webmvc (5.2.8) CVE-2020-5397

• hibernate (5.4.19) CVE-2019-14900

• snakeyaml (1.26) CVE-2017-18640

• dom4j (2.1.3) CVE-2020-10683

• commons-codec (1.14) WS-2019-0379

• bouncycastle (1.64) CVE-2019-17359

• Bootstrap (4.3.1) CVE-2019-8331

Password Self Help

Version 3.005

Aug 18, 2020

  • An issue causing an error when signing on using initial program SHC001I1 has been resolved.

Back to Top

 

Robot


Robot Monitor

Version 14.22 (14.2.2)

Aug 12, 2020

Enhancements
  • Robot Monitor now uses RELMOD version standard consistent with the other Robot products.
  • Routing entry for all IBMi partitions now installed.
Other Fixes
  • Fixed issue with MON020B job holding a large number of locks on MONPRMLA.
  • Interactive jobs now showing correctly on High CPU screen on partitions running IBM i 7.4.
  • Fixed issue with file record count failing with MCH1210.
  • Drive type data collection optimized.
  • Fixed issue with column or global variable not found while monitoring MIMIX.

Robot Schedule

Version 13.06

Aug 18, 2020

  • Prechecker now works correctly when converting from Robot Schedule 12.

Back to Top