Prosys OPC UA Java SDK 3.1.4
This is a new bug fix release of the SDK. It also includes important security fixes.
OPC Foundation Java Stack changes
- Using version 1.3.344
- SECURITY FIX (CVE-2018-12585): Prevent accessing external resources with XMLs
- SECURITY FIX: Additional logic for catching StackOverflowErrors during message decoding
- Fixed GH#112: Binary encoding of DataValue with picoseconds
- Fixed GH#144: Removed 'assert' checks in SerializerComposition
- Fixed GH#145: Calculation of certificate thumbprint, when a certificate chain is received
- Fixed GH#146: XmlDecoder.getExtensionObject() passes NamespaceTable and fixes the mapping of NamespaceIndexes with the table of the EncoderContext
Changes to SDK common classes
- New: ApplicationIdentity.setApplicationDescription() takes an optional parameter 'enableValidation'
Changes to Client SDK
- SECURITY FIX: Validate server certificate, if 1. Connected with SecurityMode None AND 2. Server did send a certificate AND 3. Connecting with UserTokenPolicy that requires encryption
- Fixed: Do not auto-replace 'localhost' when receiving the server's ApplicationUri (Servers should not define such ApplicationUris, though)
- Fixed: Avoid StackOverflowError if a Method has a TypeDefinition Reference to itself (NOTE! Some servers use TypeDefinitions for Methods, although the specification does not allow that)
- Fixed: UaClient.getServerIdentity() returned null when connected to servers that do not send a certificate for SecurityMode None
Changes to Server SDK
- SECURITY FIX (CVE-2018-7559): Validate that padding bytes are 0 after encrypted user token designated length
- SECURITY FIX: Prevent possible attack scenarios when decrypting user tokens
- Fixed: Empty UserIdentityToken was not handled correctly. It is now interpreted as Anonymous token as defined in the ActivateSession in spec. Part 4
- Fixed: Loading a NodeSet2 XML with nodes having more than one inverse Reference of certain ReferenceTypes
This has the side-effect for the following method in NodeManager:
protected NodeId addNode(ServiceContext serviceContext, NodeId nodeId, NodeId parentNodeId, QualifiedName browseName,
NodeClass nodeClass, ExpandedNodeId typeDefinitionId, NodeAttributes attributes, NodeId referenceTypeId)
Now the parameters parentNodeId and NodeId are always null when adding nodes from a NodeSet2 XML, and the so called
"parent-reference" is added as a normal reference via addReference()
Changes to Code Generator
- Fixed: Empty Structure arrays were not converted to the actual type for Method output parameters.
We recommend regenerating code with 3.1.4 codegen, if you have methods that define an array of some Structure type as their output argument
Changes to SampleConsoleClient
Changes to SampleConsoleServer
25.06.18