Version 1.1.8

Build: 1.1.8-92

Release date: 11.05.22

This is a security release of Prosys OPC UA Historian. Everyone is recommended to update to this version.

The security update (via updated SDK version) fixes a scenario where an attacker could cause the server to starve an internal thread pool, causing a Denial of Service (DoS). The exploit enables an unauthorized attacker to block the server applications so that they will no longer be able to serve client applications. Thus, we recommend everyone to update to this version. For more details see Pwn2Own resource exhaustion exploit.

Changes

Plus a number of other small changes.

Version 1.1.6

Build: 1.1.6-87

Release date: 17.02.22

This version fixes bugs, memory and security issues.

The application now uses JavaFX version 17.0.2, which fixes some memory leaks.

This version also updates used log4j2 from version 2.16.0 to 2.17.1. See https://logging.apache.org/log4j/2.x/security.html for more information. There are 2 new CVEs after 2.16.0. However, as far as we understand in practice they have no impact per se, even if technically we are affected by one of them. Regardless, we do recommend everyone to update to this version. For the CVE-2021-45105, the default logging configuration does not include MDC in the pattern, thus we should not be affected.

For the CVE-2021-44832, per apache’s page: "(previous versions) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file". So the filesystem would have to be compromised for this to happen. In general our applications do not expect a hostile (local) environment. Typically this kind of vulnerability could be used for a privilege escalation attack, but Historian for better or worse requires admin priviledges to run. Thus the created configuration files at the first startup are admin-owned, thus there is nothing to escalate to, the attacker could just do already everything they could do via Historian in a more complicated way. Thus, this CVE in practice has no impact, but we still do recommend to update just in case.

Changes

  • Updated: log4j2 to version 2.17.1.

  • Updated: JavaFX to version 17.0.2.

Plus a number of other small changes.

Version 1.1.4

Build: 1.1.4-80

Release date: 16.12.21

This is a security release of Prosys OPC UA Historian. Everyone is recommended to update to this version.

Apache Foundation has released another version of log4j2 in order to fix a new CVE-2021-45046: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046. Per our understanding we would not be vulnerable to CVE-2021-45046, but just to be safe this release updates to log4j2 2.16.0.

Changes

  • Updated log4j2 to version 2.16.0

Version 1.1.2

Build: 1.1.2-76

Release date: 13.12.2021

This is an emergency security release to fix the https://nvd.nist.gov/vuln/detail/CVE-2021-44228 "Log4Shell" attack.

Everyone is recommended to update to this version.

Mitigation strategies for older release can be found in https://logging.apache.org/log4j/2.x/security.html.

Changes

  • Updated log4j2 to version 2.15.0

Version 1.1.0

Build: 1.1.0-69

Release date: 16.09.2021

This is a release of Prosys OPC UA Historian adding some new features and performance improvements.

Changes

  • Uses Prosys OPC UA SDK for Java version 4.5.6.

  • New: Ability to disconnect/connect a source server in order to easily toggle the data collection and server connection.

  • New: User authentication for OPC UA server.

  • New: Support for additional data types for collection items, including:

    • String

    • ExpandedNodeId

    • QualifiedName

    • LocalizedText

    • XmlElement

    • Boolean

    • SByte

    • Byte

    • Int16

    • UInt16

    • Int32

    • UInt32

    • Int64

    • UInt64

    • Integer

    • UInteger

    • Float

    • Double

  • New: Added collection groups that can be used to manage collection items and configure their common collection interval.

  • Improvement: Better performance of aggregate calculator.

Version 1.0.0

First release of the application.