CMDBuild 3.3.3 intermediate release (vulnerability patch) 23 December 2021

Following a warning received regarding a security vulnerability, we deemed it necessary to produce an intermediate CMDBuild 3.3.3 version that solves the problem.

The warning refers to password management and occurs in version 3.0 and following.

We suggest to all users of CMDBuild, CMDBuild READY2USE and openMAINT to update the applications as soon as possible, and possibly to anticipate the expiration date of the passwords used in the application, for greater protection.

The description of the vulnerability will be published on this same page on Monday, January 10th 2022, to give everyone time to install the new version.

For all instances of users who have an active Subscription, a patch has already been applied that solves the problem. Furthermore, Tecnoteca will propose the update to the CMDBuild 3.3.3 version, by contacting them directly.


Description of the vulnerability (January 10th 2022)

To support any debugging needs, applications based on the CMDBuild platform store in a PostgreSQL DB table, subject to a "rotate" mechanism, the REST / SOAP API calls that perform the operations carried out on the system, including those corresponding to requests made from the user interface and in particular the login request.

The calls of the REST / SOAP API, in the default log level that can be modified by the system administrator, are stored together with the relative parameters.

Versions prior to the current CMDBuild 3.3.3 did not exclude from archiving, in the case of the login API, the parameter relating to the password entered by the user.

The problem did not occur in the case of login with SSO (Single Sign On), since in that case the user types the password not on the CMDBuild form but on a network authentication form.

The passwords stored in this way in the PostgreSQL database could be accessed by the database administrator via command-line SQL queries on the database server or by using a client program explicitly enabled to connect to the database server.