Version 1.2.2

Build: 1.2.2-28

Release date: 22.02.23

This is a bugfix release that also includes security fixes.

See our blog (OPC UA Pwn2Own 2023 Resource Exhaustion Exploit) for more information about the security issues. We recommend everyone to update to this version.

Changes

This version of Prosys OPC UA Historian uses Prosys OPC UA SDK for Java version 4.10.4-14.

  • Updated log4j2 to version 2.20.0. This update is not related to security.

Plus a number of other small changes.

Version 1.2.0

Build: 1.2.0-24

Release date: 14.12.22

This is a minor release. Due to SDK version updates, also some memory leak fixes are included and we recommend updating to this version.

History can now be collected from nodes whose DataType is an Enumeration type.

The collection interval can now be defined lower than 1000ms, with 100ms being the new limit.

The Database/schema can now be named when configuring the database connection. Note that renaming it later wont move data from the old database.

Changes

This version of Prosys OPC UA Historian uses Prosys OPC UA SDK for Java version 4.10.2-62.

  • New: Support collecting history from Enumeration nodes.

  • New: The Database/schema can now be named in database connection.

  • Improvement: Allow lower collection intervals than 1000ms (100ms is the new limit).

  • Fixed: Collection intervals larger than 1000ms didn’t work (it was still 1000ms).

  • Fixed: On Linux the service could not be controlled from the configurator.

  • Fixed: The log4j2.xml initial logging configuration file was not UTF-8.

  • Updated log4j2 to version 2.19.0. This update is not related to security.

Plus a number of other small changes.

Version 1.1.8

Build: 1.1.8-92

Release date: 11.05.22

This is a security release of Prosys OPC UA Historian. Everyone is recommended to update to this version.

The security update (via updated SDK version) fixes a scenario where an attacker could cause the server to starve an internal thread pool, causing a Denial of Service (DoS). The exploit enables an unauthorized attacker to block the server applications so that they will no longer be able to serve client applications. Thus, we recommend everyone to update to this version. For more details see Pwn2Own resource exhaustion exploit.

Changes

This version of Prosys OPC UA Historian uses Prosys OPC UA SDK for Java version 4.8.0-25.

Plus a number of other small changes.

Version 1.1.6

Build: 1.1.6-87

Release date: 17.02.22

This version fixes bugs, memory and security issues.

The application now uses JavaFX version 17.0.2, which fixes some memory leaks.

This version also updates used log4j2 from version 2.16.0 to 2.17.1. See https://logging.apache.org/log4j/2.x/security.html for more information. There are 2 new CVEs after 2.16.0. However, as far as we understand in practice they have no impact per se, even if technically we are affected by one of them. Regardless, we do recommend everyone to update to this version. For the CVE-2021-45105, the default logging configuration does not include MDC in the pattern, thus we should not be affected.

For the CVE-2021-44832, per apache’s page: "(previous versions) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file". So the filesystem would have to be compromised for this to happen. In general our applications do not expect a hostile (local) environment. Typically this kind of vulnerability could be used for a privilege escalation attack, but Historian for better or worse requires admin priviledges to run. Thus the created configuration files at the first startup are admin-owned, thus there is nothing to escalate to, the attacker could just do already everything they could do via Historian in a more complicated way. Thus, this CVE in practice has no impact, but we still do recommend to update just in case.

Changes

This version of Prosys OPC UA Historian uses Prosys OPC UA SDK for Java version 4.7.2-13.

  • Updated: log4j2 to version 2.17.1.

  • Updated: JavaFX to version 17.0.2.

Plus a number of other small changes.

Version 1.1.4

Build: 1.1.4-80

Release date: 16.12.21

This is a security release of Prosys OPC UA Historian. Everyone is recommended to update to this version.

Apache Foundation has released another version of log4j2 in order to fix a new CVE-2021-45046: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046. Per our understanding we would not be vulnerable to CVE-2021-45046, but just to be safe this release updates to log4j2 2.16.0.

Changes

  • Updated log4j2 to version 2.16.0

Version 1.1.2

Build: 1.1.2-76

Release date: 13.12.2021

This is an emergency security release to fix the https://nvd.nist.gov/vuln/detail/CVE-2021-44228 "Log4Shell" attack.

Everyone is recommended to update to this version.

Mitigation strategies for older release can be found in https://logging.apache.org/log4j/2.x/security.html.

Changes

  • Updated log4j2 to version 2.15.0

Version 1.1.0

Build: 1.1.0-69

Release date: 16.09.2021

This is a release of Prosys OPC UA Historian adding some new features and performance improvements.

Changes

  • Uses Prosys OPC UA SDK for Java version 4.5.6.

  • New: Ability to disconnect/connect a source server in order to easily toggle the data collection and server connection.

  • New: User authentication for OPC UA server.

  • New: Support for additional data types for collection items, including:

    • String

    • ExpandedNodeId

    • QualifiedName

    • LocalizedText

    • XmlElement

    • Boolean

    • SByte

    • Byte

    • Int16

    • UInt16

    • Int32

    • UInt32

    • Int64

    • UInt64

    • Integer

    • UInteger

    • Float

    • Double

  • New: Added collection groups that can be used to manage collection items and configure their common collection interval.

  • Improvement: Better performance of aggregate calculator.

Version 1.0.0

First release of the application.