EN
Español
English
Português
    Release Note Aranda Service Desk V8 8.29.26

    CASE PM-48825-19-201443

    Implemented security enhancement through the inclusion of a filter <denyQueryStringSequences>. This filter prevents requests with sequences of the type “password=” or “username=” from being considered valid in the corresponding request within the user web console (USDKV8).

    CASE PM-48957-19-201450

    Adjustments are made to the Aranda Service Desk API (ASDKAPI) to resolve the security issue on instances reported as vulnerable. A “Cache-Control: no-store” header configuration is implemented to prevent caching of responses.

    CASE PM-49015-19-201456

    To address the reported security issue, we recommend that you update to the latest version of the .NET Framework, Microsoft Internet Information Server (IIS), and the operating system on the server on which the Aranda Service Desk (ASDK) tool is installed.

    CASE PM-49022-19-201458

    An adjustment is made to the Aranda Service Desk API (ASDKAPI) to resolve a security issue identified in the instance reported as vulnerable. This setting includes a change in the consumption method, which now returns an empty value if you don’t have a configuration registered. As a result, the server will be able to identify the response type and send it in the “Content-Type: application/octet-stream” header.

    CASE PM-49029-19-201459

    In the USDKV8 web.config file, the script-src ‘self’, ‘unsafe-inline’, ‘unsafe-eval’, and object-src ‘none’ directives are added to the Content-Security-Policy as a security enhancement measure to ensure a strong content security policy.

    No modifications have been made to the frame-ancestors directive, as the information included (teams.microsoft.com and *.arandasoft.com) corresponds to Aranda and Microsoft domains that are used by Aranda Virtual Agent.

    Note: Policy adjustments have been made with compatibility with the application structure in mind.

    CASE PM-49036-19-201460

    Security enhancement (implementation of the unique token X-XSRF-Token) is applied to the following user web console requests (USDKV8) to enable CSRF (Cross Site Request Forgery) protection:

    • Register users: /api/v8.6/user/register This request is used by the /usdkv8/app/modules/userregister/views/userregister.view.html view
    • Login: /api/v8.6/user/login This request is used by views /usdkv8/app/modules/login/views/login.form.horizontal.html and /usdkv8/app/modules/login/views/login.form.vertical.html
    • Changing the user’s password: /api/v8.6/user/updatepassword This request is used by the /usdkv8/app/modules/login/views/login.changepassword.html view
    • Updating additional user data: /api/v8.6/user/{userId}/update This request is used by the /usdkv8/app/modules/userdetails/views/editprofile.view.html view
    • Shipping Items by Mail: /api/v8.6/article/sendemail This request is used by the /usdkv8/app/modules/article/views/sendemailarticle.view.html view

    CASE PM-49086-19-201462

    Adjustments are made in the user web console (USDKV8) to address the reported security issue. The ‘viewStateEncryptionMode=”Always”’ parameter is implemented in the ‘BadRequest.aspx’ file in order to configure the view state encryption mode.

    CASE PM-49090-19-201463

    Implemented security enhancement with the inclusion of a filter <denyQueryStringSequences>. This filter prevents requests with sequences such as “password=” or “username=” from being considered valid in the corresponding request within the user web console (USDKV8). With this solution, the vulnerability reported in the requests is overcome:

    https://dominio/usdkv8/?password=]H[ww6KrA9F.x-F&switch-status=on&username= https://dominio/usdkv8/?password=]H[ww6KrA9F.x-F&&username= https://dominio/usdkv8/app/modules/login/views/login.form.horizontal.html?password=]H[ww6KrA9F.x-F&switch-status=on&username= https://dominio/usdkv8/app/modules/login/views/login.form.horizontal.html?password=]H[ww6KrA9F.x-F&&username=


    NOTES OR ADDITIONAL INSTRUCTIONS:

    • Run the “Aranda.ASDK.WebV8.Installer.exe” file and follow the installer’s instructions.
    • The executable file functions as both an installer and an update tool.
    • This update applies only to databases in version 8.0.165.
    • If you have any custom settings in the web.config files, you must reapply the setting.
    • CHAT: Starting with Chrome 62, access to Web Push notifications for non-secure HTTP connections was blocked. Only these notifications will be supported with the HTTPS protocol.
    • In the DB Oracle engine, the maximum content size of an article is 32,000 characters. If you need to include images, we recommend using images with public URLs or images linked to a remote repository. In this way, when stored in DB, they will be referenced with the URL of the image and take up less space. Pasting local images is not recommended as they are referenced as full base64 images.
    • Tags corresponding to HTML fields such as description, solution and notes, will not apply style changes.