Security Announcement on CVE-2023-46604

​​We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 03 November 2023, 7:50 PM CET

CVE-2023-46604 is a critical vulnerability, rated 10.0. It affects a 3rd party component that is used in our products, namely Apache ActiveMQ.

More official information about it can be found at National Institute of Standards and Technology.

enaio®

Due to criticality of the reported security issue, we are providing fixes not only for the currently supported versions of enaio®, namely enaio®10.10, but also for the older unsupported versions up to the enaio® 9.10.

enaio® Version 11.0 is not affected.

enaio® Version 10.10

Hotfixes:

  • admin-service-app.jar 5.11.11
  • discovery-service-app.jar 5.11.11
  • service-watcher-app.jar 5.11.11
  • messaging-service-app.jar 5.11.11

The messaging service is not installed by default but should be updated.

The Hofixes are available through the Serviceportal.

enaio® Version 10.0

Hotfixes:

  • admin-service-app.jar 4.21.16
  • discovery-service--4.21.16
  • service-watcher-app.jar 4.21.16
  • repository-manager-app.jar 4.3.3 (SAP)
  • messaging-service-app.jar 4.21.16

The messaging service and repository manager are not installed by default but should be updated.

The Hofixes are available through the Serviceportal.

enaio® Version 9.10

Hotfixes:

  • admin-service-app.jar 4.3.2
  • discovery-service-app.jar 4.3.2
  • service-watcher-app.jar 4.3.2
  • repository-manager-app.jar 4.2.5 (SAP)
  • messaging-service-app.jar 4.3.2

The messaging service and repository manager are not installed by default but should be updated.

The Hofixes are available through the Serviceportal.

enaio® Version 9.0 and earlier

Affected are messaging service and repository manage (SAP integration).

We strongly advise to update the systems to one of the supported enaio® versions.

As a mitigation measure for these earlier versions, please make sure that messaging service and repository manage are turned off in your systems.

yuuvis® RAD

yuuvis® RAD Version 9.14

Hotfixes:

  • service-manager 9.14.1
    includes:

    • admin-service 9.7.1
    • messaging-service 9.7.1
    • index-service 9.7.1
    • search-service 9.8.1
    • repository-manager 4.4.1 (SAP)

The repository manager is not installed by default but should be updated.

The Hofixes are available through the OS cloud.

yuuvis® RAD Version 8.16 LTS

Hotfixes:

  • service-manager 8.16.54
    includes:

    • admin-service 8.13.14
    • messaging-service 8.13.14
    • discovery-service 8.13.14
    • service-watcher 8.13.14
    • inbox-service 8.16.2
    • bpm-service 8.16.3
    • index-service 8.9.12
    • search-service 8.11.7
    • repository-manager 4.3.2 (SAP)

The repository manager is not installed by default but should be updated.

The Hofixes are available through the OS cloud.

All other versions of yuuvis® RAD are out of support. We strongly advise to update the systems to one of the supported yuuvis RAD® versions.

yuuvis® Momentum

Due to criticality of the reported security issue, we are providing fixes not only for the currently supported versions of yuuvis® Momentum, namely yuuvis® Momentum Winter 2022 LTS and yuuvis® Momentum Autumn 2023, but also for the older unsupported seasonal versions from this year, namely yuuvis® Momentum 2023 Summer and yuuvis® Momentum 2023 Spring.

yuuvis® Momentum Winter 2022 LTS

Hotfixes:

  • repository-manager 4.3.1
  • repository-manager-mq 1.2.0
  • core 4.13.17

yuuvis® Momentum Autumn 2023

Hotfixes:

  • repository-manager 4.3.1
  • repository-manager-mq 1.2.0
  • core 4.16.5

yuuvis® Momentum Summer 2023

Hotfixes:

  • repository-manager 4.3.1
  • repository-manager-mq 1.2.0
  • core 4.15.9

yuuvis® Momentum Spring 2023

Hotfixes:

  • repository-manager 4.3.1
  • repository-manager-mq 1.2.0
  • core 4.14.8

All other versions of yuuvis® Momentum are out of support. We strongly advise to update the systems to one of the supported yuuvis® Momentum versions.
To prevent potential problems, make sure that all ActiveMQ brokers are turned off or updated in your systems.
For the specific project solutions not adhering to the official yuuvis® Momentum versioning please contact our support.