December 13, 2021 - Advisory: Vulnerability in Apache Log4j2 Library Affecting InterSystems Products

InterSystems is currently investigating the impact of a security vulnerability related to Apache Log4j2.

The vulnerability — impacting at least Apache Log4j2 (versions 2.0 to 2.14.1) — was recently announced by Apache and is reported in the United States National Vulnerability Database (NVD) as CVE-2021-44228 with the highest severity rating, 10.0.

Please see this page for more details about the vulnerability and updates on whether InterSystems Products are affected.

November 19, 2021 - Advisory: Apache Web Server provided with InterSystems kits – Vulnerability reports

InterSystems kits include an Apache web server, which provides a convenient way for customers to interact with the Caché/IRIS Management Portal without needing to install an external web server; however, this web server should never be used for production instances, and customers must install a web server that fits their specific needs and security/risk requirements.

Recent tests have noted some security issues with the currently included Apache web server.

October 26, 2021 – Alert: Missing Locks after ECP Database Server Restart or Failover

InterSystems has corrected a defect that can violate application locking guarantees in a distributed cache cluster (ECP configuration), which can lead to application integrity issues. This defect affects:

• All major releases and maintenance versions of InterSystems IRIS and InterSystems IRIS for Health, starting with 2020.1.

July 21, 2021 – Alert: Incorrect Query Results with Non-Standard ‘GROUP BY’ Query

InterSystems has corrected a defect that can cause incorrect query results. This defect affects:

• All major releases and maintenance versions of InterSystems IRIS and InterSystems IRIS for Health, starting with 2019.1.0

A query block may encounter the defect only if it meets all the following conditions:

• The query block contains a GROUP BY clause but does not include any aggregates, such as COUNT(*).

June 16, 2021 - Advisory: Discontinued Technologies and Features

Note: A previous version of this advisory listed Caché Server Pages as a deprecated technology. Caché Server Pages is not deprecated and is fully supported.

From time to time, InterSystems discontinues development of a technology when newer and better options are available.  However, product support for these capabilities continues in the same way that it does for products beyond our Minimum Supported Version.

March 23, 2021 – Alert: Potential Data Integrity Issue with Mirror Dejournaling

InterSystems has corrected a defect that can cause data inconsistency issues on non-primary mirror members in extremely rare circumstances. This defect affects all released versions of InterSystems products.

If the defect occurs, it happens silently during normal operation on a mirrored system. The result of this defect is that a mirror member fails to dejournal a subset of journal records, which then leads to data inconsistency across mirror members. This affects both failover and async members.

February 11, 2021 – Alert: Incomplete Query Results with ‘ORDER BY <row ID field> DESC’

InterSystems has corrected a defect that can cause incomplete query results. This defect affects:

• InterSystems IRIS and InterSystems IRIS for Health 2019.1.0, 2019.1.1, 2019.2, 2019.3, 2019.4, 2020.1.0, 2020.2, and 2020.3
• HealthShare Health Connect 2019.1.0, 2019.1.1, 2020.1.0
• HealthShare Products 2019.2, 2020.1 and 2020.2

(In HealthShare and HealthShare Health Connect, this defect only affects Personal Community with 64,000 patient proxies and possibly customer-built custom queries.

InterSystems has identified an issue with product distributions containing Certificate Authority certificates that expire at the end of 2020. This issue does not affect system operation or system security in any way, although it does generate alerts about expiring certificates in the cconsole.log or messages.log files. The messages may be ignored and there are instructions below to eliminate them.

The issue affects the following versions:

• Caché and Ensemble 2017.1, 2017.2, and 2018.

InterSystems has corrected a defect that may cause Windows Telnet processes that are secured using SSL/TLS to hang indefinitely; this may then cause an instance to become unresponsive. This defect is present only on Windows platforms.

This defect affects:

• Caché and Ensemble 2018.1.4
• HealthShare Health Connect (HSAP) 15.032 built on C/E 2018.1.4
• InterSystems IRIS and InterSystems IRIS for Health 2020.3

The problems caused by this defect can occur only when the instance is running Windows Telnet.

InterSystems has corrected a defect that can cause a build-up of orphaned processes consuming system resources. In extreme cases, this can cause a system to become unresponsive.

This defect affects the following versions:

• Caché and Ensemble 2018.1.4
• InterSystems IRIS and InterSystems IRIS for Health 2019.4, 2020.1, and 2020.2
• HealthShare Health Connect (HSAP) 15.032 built on Ensemble 2018.1.4
• HealthShare Health Connect 2020.1

No other InterSystems product versions are affected by this issue.  Specifically, earlier versions of Caché and Ensemble, Health Connect 2019.1 and 2019.1.

InterSystems has corrected a defect that can cause FHIR searches to return incomplete results. The defect manifests because a FHIR update interaction deletes an incorrect resource from the search index. Although the data still exists in the repository, subsequent searches may return incomplete results due to the missing entry in that index.

This defect affects InterSystems IRIS for Health 2020.1 and HealthShare Unified Care Record 2020.1. (In HealthShare, this defect only affects FHIR resources at the ODS.

InterSystems has corrected two defects that affect online backup of very large databases. Backups taken via external methods, such as snapshots or direct file copies, are not affected. These defects exist in all released versions of all InterSystems products.

The first defect only affects databases with more than 2³¹ blocks. It results in a degraded database after restoring from an online backup. For example, databases that have a block size of 8 KB (the default) are only affected if they are larger than 16 TB. The correction for this defect is identified as RJF437.

InterSystems has corrected a defect that can result in data integrity issues on systems using mirroring.

This defect affects:

• All currently released versions of InterSystems IRIS and IRIS for Health, except 2020.1
• Caché and Ensemble versions beginning with 2011.1.1
• All HealthShare products based on the above Data Platforms versions

This defect is more likely to be encountered in IRIS and IRIS for Health 2019.4. It is highly unlikely to have occurred on deployed systems running any other version.

InterSystems has corrected two defects that, in rare circumstances, can result in data integrity corruption after running global compaction, database compaction, or database defragmentation. InterSystems recommends avoiding these utilities until after applying the corrections listed below.

1. The first defect is caused by database compaction, defragmentation, or global compaction, and can result in database corruption. If you have used one of these utilities on a database, InterSystems recommends that you perform an integrity check on it. This will identify any data corruption that has occurred.

Starting in March 2020, Microsoft plans to release a series of security updates that will cause Windows Active Directory (AD) servers to reject unencrypted simple binds. For more details on the changes to Active Directory, see Microsoft’s Security Advisory ADV190023.

Instances of all InterSystems products using LDAP with Windows AD servers for user login can be impacted if they are not already properly configured to use TLS/SSL. The impact is not limited to instances running on Windows versions.

*** Update 2/11/20 2:15pm ***

*** 2017.2.1 version is NOT affected ***

InterSystems has corrected a defect that can cause the CSP Gateway to forward a response to the wrong web client. This defect is not present in the Web Gateway.

The CSP Gateway is distributed as a component of a full instance installation and also as a standalone installer. Both distributions are affected by the defect. The CSP Gateway installed with the private Apache web server for the Management Portal is also vulnerable. The affected versions of the CSP Gateway are associated with Caché or Ensemble:

• 2016.1.

InterSystems has corrected a defect that can result in skipping a transaction rollback. This can only occur after activation or addition of a mirrored database on a primary mirror member.

This problem exists for:

• Caché and Ensemble 2018.1.3
• InterSystems IRIS data platform 2019.1.1, 2019.3, and 2019.4
• InterSystems IRIS for Health 2019.1.1, 2019.3, and 2019.4
• HealthShare Health Connect 2019.1.1

The conditions necessary for this defect to be triggered are quite specific. All of the following must apply:

• A database has been newly activated or added to a mirror on a primary mirror member.

Updated 1/30/2020

*** The affected product versions have changed ***

*** The affected versions are Caché and Ensemble beginning with 2016.2.0.  ***

*** Caché and Ensemble 2016.1.0 is not at risk for this defect ***

InterSystems has corrected a defect that can cause database degradation in extremely rare circumstances. Associated problems may include, but are not limited to, incorrect or missing application data and system hangs.

This defect affects:

• All versions of InterSystems IRIS and IRIS for Health
• Caché/Ensemble versions beginning with 2016.2.

InterSystems has corrected several critical defects that can result in data integrity issues. These defects were identified and corrected within a short time, so InterSystems has simplified the upgrade process by consolidating them into a single package. The effects of encountering these defects may not always be visible. These defects affect InterSystems IRIS, IRIS for Health, Health Connect, Caché, Ensemble, and HealthShare products. All of these defects relate to the application of journal data.

InterSystems recommends that you review this document.

InterSystems has corrected a defect in applications that use Unicode character 223 (ß). This defect can result in incomplete query results, class compilation errors, and removal of custom SQL privileges.

This problem occurs on systems that are running or have previously run on:

• Caché and Ensemble 2018.1.0, 2018.1.1, and 2018.1.2
• HealthShare Health Connect (HSAP) 15.032 on Core versions 2018.1.0, 2018.1.1, and 2018.1.2
• HealthShare Health Connect 2019.1
• InterSystems IRIS data platform – all currently released versions
• InterSystems IRIS for Health – all currently released versions

The defect is triggered by data and component names containing Unicode character 223 (ß). In the versions listed above, an uppercase conversion incorrectly maps that character to Unicode character 7838 (ẞ).  Applications perform this uppercase conversion using features such as $ZCONVERT and %SQLUPPER.

Problems can occur when accessing data or classes created or modified on a product with a different uppercase conversion than the one currently in use.

InterSystems has corrected a defect that could lead to invalid backups on Windows platforms. The defect causes upgrades to disable the EnableVSSBackup setting. By default, EnableVSSBackup is enabled (value set to 1) and the upgrade sets its value to 0. Windows VSS backups taken with this setting disabled may contain invalid CACHE.DAT files.

This problem is limited to Windows platforms on the following versions:

• Caché and Ensemble 2018.1.0, 2018.1.1, and 2018.1.2
• HealthShare Health Connect (HSAP) 15.032 on Core versions 2018.1.0, 2018.1.1, and 2018.1.2
• HealthShare 2019.1 (Unified Care Record, Patient Index, Health Insight, Personal Community, and Provider Directory) on Core version 2018.1.2
• HealthShare 2018.1 (Information Exchange, Patient Index, Health Insight, and Personal Community) on Core versions 2018.1.1 or 2018.1.0

The defect only occurs if you are upgrading to a version listed above. Once you have upgraded to an affected version, you must manually enable the setting; otherwise, it will be disabled on future upgrades, even when upgrading to versions containing the correction.

For customers using Windows VSS backups, InterSystems recommends enabling this setting on any 2018.1 instances of Caché or Ensemble. Once you have enabled the setting, future upgrades (including to affected versions) will preserve its value.

InterSystems has corrected a memory leak in applications that pass by reference to a formal parameter that accepts a variable number of arguments.

This problem exists for:

• InterSystems IRIS Data Platform – all currently released versions
• InterSystems IRIS for Health – all currently released versions
• HealthShare Health Connect 2019.1.0

If this defect occurs, the process partition will eventually be exhausted, resulting in a <STORE> error.

InterSystems has corrected a defect that impacts the use of X.509 private keys stored in Caché, Ensemble, and Health Connect, but only in 2018.1.1, on any platform.

This defect does not affect new installations of 2018.1.1, only upgrades to that version. It affects WS-Security, not SSL/TLS Configurations.

If your environment uses X.509 credentials with private keys and has been upgraded to 2018.1.1, some functions and queries that use the private keys will fail. To correct this problem, please contact the Worldwide Response Center (WRC) and request the utility developed to address the issue.

InterSystems has corrected a defect that can result in data integrity problems in environments that use InterSystems mirroring in conjunction with parallel dejournaling. This problem exists for currently released Caché and Ensemble versions beginning with 2017.2 and for InterSystems IRIS Data Platform version 2018.1.

Ensuring that you are protected from this issue

Your system is at risk only if you have a mirroring environment that supports parallel dejournaling for mirrored database catchup.

NB. Please be advised that PKI is not intended to produce certificates for secure production systems. You should make alternate arrangements to create certificates for your productions.
NB. PKI is deprecated as of IRIS 2024.1: documentation and announcement.

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to InterSystems IRIS Data Platform. I did a similar post in the past for Caché, so feel free to check that out here if you are not running InterSystems IRIS. Much like the original, the goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database. I will not go into security recommendations or restricting access to the files. This is meant to just simply get a mirror up and running. Example screenshots are taken on a 2018.1.1 version of IRIS, so yours may look slightly different.

An installation or upgrade of Caché, Ensemble, or HealthShare on Windows could fail with the titled error if a newer version of the Microsoft Visual C++ Redistributable 2013 (x86) or (x64) is installed instead of version 12.0.30501.

If you encounter this error during an installation, you can get around it by uninstalling those versions of the redistributables in the Control Panel, then manually installing both x86 and x64 older versions directly from this link This problem has been corrected in maintenance kits 2016.1.4 and 2016.2.2 and all released 2017 versions by devchange ALE2949.

I was trying to find an article today that I knew had been posted about Wireshark installations causing problems with Studio and other Caché components. If I search the community for 'Wireshark install', the article I'm looking for does not even show up. I found it eventually in the text of one of the Digest post, but this is the article:

https://community.intersystems.com/post/wireshark-installer-could-affect-studioexe-and-csystrayexe-windows

How could that possible not show up for a search for 'Wireshark install'?

NB. Please be advised that PKI is not intended to produce certificates for secure production systems. You should make alternate arrangements to create certificates for your productions.
NB. PKI is deprecated as of IRIS 2024.1: documentation and announcement.

In this post, I am going to detail how to set up a mirror using SSL, including generating the certificates and keys via the Public Key Infrastructure built in to Caché. The goal of this is to take you from new installations to a working mirror with SSL, including a primary, backup, and DR async member, along with a mirrored database.

Presenters: Pete Greskoff, Sebastian Musielak
Task: Ensure high availability of your HealthShare deployments
Approach: Discuss high-availability options and focus on HealthShare’s new support for database mirroring
 

With the new release of HealthShare, Mirroring is now support for high availability. This session will describe high availability options and focus on mirroring your HealthShare deployments.

Content related to this session, including slides, video and additional learning content can be found here.