Release Warnings Regarding enaio®
This information is updated periodically as soon as our analyses deliver new findings. Please check back periodically.
Last Update: July 11, 2023 – 5:30 PM CET
Under certain conditions enaio® appconnector can be susceptible to session hijacking and depending on the configuration also to escalation of privileges.
Due to potential sensitivity of the found security issue, the patch is available not only for the enaio® versions that are currently in support (10.10 and 11.0), but also for enaio® 9.10 and 10.0 which are not supported anymore. Nevertheless, we strongly recommend updating to one of the newer supported versions, to continue receiving this and many other security updates and bug fixes.
The issue is resolved with following hotfixes:
enaio® appconnector has been discontinued as of enaio 10.0. From version 10.0 onwards, it receives only security and bug fixes and is not further developed. The DMS microservice is available as an alternative. This currently comes with a significantly smaller scope but with a new technology stack: scalable, cloud-enabled microservice and built for large systems. The long-term goal is to gradually grow this REST API and to align its functional scope with that of enaio® appconnector. For concrete requests from your side in the context of new projects please contact directly email@example.com
The following version may cause issues:
Client MSI 10.0.41 (ANSI) or
Client MSI 10.0.35 (Unicode) / client 10.0.722
Data in table fields are displayed incorrectly on index data forms if
scripts are active in the form and
the table field(s) are in a page control.
This may cause index data records to be saved with wrong data.
Please update enaio® client and install the current MSI packages:
The packages are available for download in our Service Portal.
Please check the data records that have been saved since the last update if the above mentioned criteria apply.
With the installation of the version fixes for enaio® gateway, there may be problems with the logon via NTLM, as well as with the display of dashlets. The following hotfixes are affected:
enaio®Version 9.10 – osgateway_hotfix – 220.127.116.11
enaio®Version 10.0 – osgateway_hotfix – 10.0.0.11
enaio®Version 10.10– osgateway_setup – 10.10.0.5
These version fixes were withdrawn and are no longer available in the Service Portal.
If these version fixes have been installed, the following respective version must be installed instead:
enaio®Version 9.10 – osgateway_hotfix 9.10.28
enaio®Version 10.0 – osgateway_hotfix 10.0.12
enaio®Version 10.10 – osgateway_hotfix 10.10.6
You can download the latest versions in our Service Portal.
Updating the OpenSSL components to Version 3.0 is required for all subsequent enaio® hotfixes after September 2022 and absolutely must be done. If it is not, the functionality will no longer exist on the client and server side.
The OpenSSL components update must be performed for all affected components.
The file setup.inx is exchanged in the Setup directory (...\Win32\Disk1). If the entire setup with all directories is not downloaded, please make sure to manually import this file from the ...\SP\setup.inx\ directory into the setup directory. This file must not be copied into the SP directory itself. The setup can only be carried out using the updated setup.inx. If the OpenSSL files that were previously in the SP directory are still available after the download, make sure that they are deleted. This applies to:
There must be an OpenSSL Update directory in the SP directory so that the content of this directory is copied into the directories of existing server/client directories when performing a reinstallation, an update, or maintenance.
IMPORTANT: In addition to the 32-Bit product setup, the following new MSIs/setups are available for the OpenSSL libraries update and the affected components. These must also be updated in order to ensure that all the relevant enaio® components are equipped with the same OpenSSL versions.
Client MSI as of version 9.10.0055 and later
Capture MSI as of version 9.10.0025 and later
Index Manager MSI as of version 9.10.0011 and later
OSServerCommunication setup as of version 9.10.0004
Server X64 as of patch 9.10.0040 and later
Administration X64 MSI as of version 9.10.0021 and later
enaio_search.msi version 9.10.5 and later (incl. new osssl.cfg)
Please contact us if you have any questions.
Previously, the system requirements recommended the MS ODBC Driver for SQL Server – 18.104.22.168 (64-bit) for the database connection. This driver may cause problems with ADO connections in Unicode installations. This is because of the columns that have an NVARCHAR(MAX) data type, which were introduced in enaio® 10.10. The data in these columns is not read from the respective tables correctly. This means that it is not possible to create queries containing these columns.
The SQL Server ODBC driver must be used for Unicode systems in enaio®Version 10.10 and later. This is in the system by default after a Windows installation.
We also recommend using the SQL Server ODBC driver for ANSI installations, as the MS ODBC Driver for SQL Server will discontinued as of enaio® Version 11.0.