Can't find what you are looking for? Try these pages!

News

Security update for all DataFlex versions with WebApp Framework - Action required!

August 21, 2024

For various revisions of DataFlex there are updates available that address a security issue in DebugBuffer.js.

This does not affect the usability of applications. However, hackers can potentially exploit the behavior making it a security risk that needs to be addressed.

This issue affects all versions of the DataFlex WebApp Framework (DataFlex Studio and DataFlex web applications running in production) and possibly deployments using the Ajax Library.

Steps to take

The vulnerability is quick to mitigate. It is highly recommended to remove both DebugBuffer.js and DebugBuffer.css files from any DataFlex web applications running in production.

It’s also recommended for developers to upgrade their DataFlex Studio(s). When working with DataFlex Studio versions that are no longer supported, developers and system administrator can safely remove both DebugBuffer.js and DebugBuffer.css files. 

Developers are encouraged to update DataFlex web applications running in production and DataFlex Studio(s) now!

How to remove Debugger JS and CSS files:

When to perform this step:

  1. If you have DataFlex web applications running in production.
  2. If you are working on an older DataFlex version that is not in the current product list, and no updated DataFlex Studio is provided.

How to:

  • Remove the ‘DebugBuffer.js’ and ‘DebugBuffer.css’ files from the DfEngine directory in the AppHtml folder.
  • This will not impact production capabilities, and is safe to perform.
  • It is highly recommended to perform this action as soon as possible, even if the chance of exposure is low. 

How to update DataFlex Studio(s):

When to perform this step: if your DataFlex Studio version is in the list below.

  • With this post we release new versions of the officially supported DataFlex Studio versions, being:
  • To install the new version(s):
    • First uninstall the current DataFlex Studio version.
    • After opening a workspace, a migration of the JavaScript engine shows. If that is not suggested go to Tools -> Update JavaSCript Engine. Click yes.
    • During the update this message shows: “A vulnerable framework component (DebugBuffer.js) has been found, should the studio remove this file?”. The recommended answer is yes.
    • Note that this will remove both JS and CSS files. Those that have actively used this component are able to leave it.

Security reminder

Please note that it is recommended to use recent and supported DataFlex version(s). Especially in web environments security updates are important. Look at the Current Products List for the officially supported DataFlex versions and platforms.

For further discussion, visit the DataFlex Web & Mobile Applications forum