February 11, 2020 – Alert: CSP Gateway Can Forward Response to Incorrect Web Client
*** Update 2/11/20 2:15pm ***
*** 2017.2.1 version is NOT affected ***
InterSystems has corrected a defect that can cause the CSP Gateway to forward a response to the wrong web client. This defect is not present in the Web Gateway.
The CSP Gateway is distributed as a component of a full instance installation and also as a standalone installer. Both distributions are affected by the defect. The CSP Gateway installed with the private Apache web server for the Management Portal is also vulnerable. The affected versions of the CSP Gateway are associated with Caché or Ensemble:
- 2016.1.4 and older
- 2016.2.0, 2016.2.1, and 2016.2.2
- 2017.1.0, 2017.1.1, and 2017.1.2
- Versions of the CSP Gateway that are included with all HealthShare products based on the above Caché/Ensemble versions
The defect is dependent on the CSP Gateway version and independent of the Caché or Ensemble version that the CSP Gateway connects to.
The correction for this defect is identified as CMT1608. InterSystems recommends upgrading all affected CSP Gateway installations to the latest version of the CSP Gateway (2018.1.3), which is available via the Worldwide Response Center’s software distribution page, in the ‘Components’ section. Supported customers can request access to the WRC application by contacting the Worldwide Response Center.
If you have any questions regarding this alert, please contact the Worldwide Response Center.