Recently, two issues were brought to our attention that we have addressed with in-line updates to DataFlex 18.x. Please see our recommendations at the end of this document.
As part of the Windows 10 Creators Update, Microsoft introduced an operating system bug that halts program execution when using the GetWindowLong function to retrieve information from a window that is not processing its message queue. This bug is not DataFlex specific, it was reported to Microsoft using test programs written in C.
Microsoft has acknowledged this bug and has stated their intention to address it in a future Windows 10 update. To respond to this issue in the shortest possible time for the benefit of our developers, we have created a work around in DataFlex for this operating system bug. We eliminated the use of the GetWindowLong call during initialization as it was a legacy technique to look for other DataFlex instances that is no longer used. This workaround is implemented in the DataFlex Virtual Machine (runtime) component (vdfvm18.dll).
DataFlex developer Raphael Theiler identified the potential for External XML Entity Injections (XXE) and exponential entity expansions to be exploited in DataFlex Web Services. We confirmed his findings and have addressed both vulnerabilities in an update to our Web Services engine.
During the same time period, we discovered that sending HTTP POST requests without a body to a JSON web service could cause a crash and have hardened Web Application Server against that scenario.
There are three changes in the update to the DataFlex Web Application Server Web Service Endpoint (waswsvc.dll) to address these issues.
The new components have been published for DataFlex 18.2 (original release date of July 2016) and also for DataFlex 18.1 (original release date of July 2015) and DataFlex 18.0 (original release date of August 2014).
For DataFlex 18.2 we have published complete replacement installations (Studio, Server and Windows Client installations for 188.8.131.52) and, as an alternative, a ZIP file (DataFlex18.2Update.zip) that contains the two changed components that can be applied to existing installations.
You can download the appropriate DataFlex update installations or ZIP files at: ftp://ftp.dataaccess.com/pub/products/dataflex/Software/
For DataFlex 2016/18.2, we recommend uninstalling version 184.108.40.206 and then installing the updated DataFlex 220.127.116.11. If you elect to update your environments with the DataFlex18.2Update.zip file, follow the instructions included in the ZIP.
The updated DataFlex 18.104.22.168 installations also contain the latest SQL Drivers (22.214.171.124) and related documentation. If you apply the virtual machine and web services updates manually with the DataFlex18.2Update.zip file, we recommend updating to the latest SQL drivers at the same time. You can obtain the SQL Driver update at: ftp://ftp.dataaccess.com/pub/products/connectivity/update/
For DataFlex 18.1 and 18.0 we have published ZIP files (DataFlex18.1Update.zip and DataFlex18.0Update.zip) that contain the two changed components for application to existing installations. As with DataFlex 18.2, we recommend installing the latest SQL drivers along with the other 18.1 and 18.0 updates.