Servoy Forum

[sean]

Last week we released 2023.12.2 and LTS branches to provide a security update for a potential vulnerability in the NG Client (NG1 and Titanium).

Although it was already mentioned in the forum post and release notes, we wanted to make a separate communication to reiterate this is a security patch and that we strongly recommend our customers to update production systems to a supported version as soon as possible.

If you are on a recent version, then you should move to 2023.12.2.

If you are on LTS release or any older version please upgrade to 2022.3.7 LTS or 2023.3.5 LTS

These updates are available through the download site

Please let us know if you have any questions or issues updating.

Thanks,
The Servoy Product Team

[robert.edelmann]

Just for clarification, since I can't find any deeper information, I assume the following:
- If the system is directly accessible from the internet it should best be patched yesterday
- if the system is only accessible internally or via vpn we should do this this week, but we don't have to pull an all-nighter to do this.

[sean]

Hi Robert, That is correct: An application which is firewalled is far less vulnerable
(Also this does not pertain to legacy clients: weblicent, smartclient)

[steve1376656734]

Hi Sean,

Can you share what the security update was for as there is no information in the release notes?

Thanks
Steve

[sean]

Hi Steve,

The update is indeed mentioned in the release notes, however the lack of specifics is intentional. The vulnerability is NOT already a known CVE (it was discovered internally). Therefore, we don't want to provide any details that would assist hackers to potentially exploit it

What I will say is that it affects recent versions of NG Clients (Titanium & NG1). Legacy clients (Smart/Web client) and headless clients are not at risk.

We (always) recommend to update to a supported version (LTS branch is fine) at your next convenience. If you want a more personal assessment, please send me a PM.

Best,
Sean