Industrial HiVision 08.1.04

Release Notes

November 16, 2021

In regards to security in version 08.1.04

In Industrial HiVision, the TLSv1 and TLSv1.1 protocols are enabled by default.
For more information see the Deskpro FAQ article under the following URL: https://hirschmann-support.belden.com/kb/articles/1285

Additions to the manual in version 08.1.04

OPC UA unencrypted communications

Since Industrial HiVision release 08.1.04, OPC UA communications are encrypted by default. To use unencrypted communications between the OPC UA client and server, perform the following steps:

Note: When using the OPC UA protocols, we recommend that you only use encrypted communications.

Open the server.properties file.
You can find the server.properties file in the <Install dir>\lib\opcua\config directory.
Enter the following line to the bottom of the file:
OpcUaServer.AllowUnencrypted=true
Save and close the file.
Restart the HiVisionMasterService8.1 service.

Issues fixed in version 08.1.04

You can find the problems, workarounds and fixes related to this release in the issue list.

Security Vulnerability Corrected in version 08.1.03

Vulnerability	Description
Java CVE-2019-2745	Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts).
Java CVE-2019-2762	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).
Java CVE-2019-2766	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts).
Java CVE-2019-2769	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).
Java CVE-2019-2786	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts).
Java CVE-2019-2816	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts).
Java CVE-2019-2842	Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts).

Issues fixed in version 08.1.03

You can find the problems, workarounds and fixes related to this release in the issue list.

New Features in Version 08.1.03

MultiConfig™ dialogs modified:
- Basic Settings - Reset (HiOS)

Security Vulnerability Corrected in version 08.1.02

Vulnerability	Description
Java CVE-2020-2754	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-2755	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-2756	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-2757	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-2773	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-2781	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-2800	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Java CVE-2020-2830	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-14556	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-14577	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-14578	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-14579	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-14581	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
Java CVE-2020-14621	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Java CVE-2020-18197	In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Issues fixed in version 08.1.02

You can find the problems, workarounds and fixes related to this release in the issue list.

Security Vulnerability Corrected in version 08.1.01

Vulnerability	Description
Java CVE-2020-2583	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE and Java SE Embedded. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2020-2590	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE and Java SE Embedded. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data.
Java CVE-2020-2593	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE and Java SE Embedded. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Java CVE-2020-2601	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE and Java SE Embedded. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data.
Java CVE-2020-2604	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE and Java SE Embedded. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.
Java CVE-2020-2654	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected is Java SE. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE.
Java CVE-2020-2659	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE and Java SE Embedded. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2020-8840	FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Java CVE-2020-9546	FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Java CVE-2020-9547	FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Java CVE-2020-9548	FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Java CVE-2019-20330	FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

New features in version 08.1.01

New features:
- Port Generation, When you create a new PSM, you can now use port mapping to control how the ports are displayed in Industrial HiVision.

Issues fixed in version 08.1.01

You can find the problems, workarounds and fixes related to this release in the issue list.

Security Vulnerability Corrected in version 08.1.00

Vulnerability	Description
Java CVE-2019-2894	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Java CVE-2019-2933	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Java CVE-2019-2945	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2958	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data.
Java CVE-2019-2962	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2964	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2978	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2983	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2988	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2989	Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: Java). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle GraalVM Enterprise Edition accessible data.
Java CVE-2019-2992	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
Java CVE-2019-2996	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Deployment). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Java CVE-2019-10086	In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. However, this is not used by the default characteristic of the PropertyUtilsBean.
Java CVE-2019-12384	FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the class-path content, remote code execution may be possible.
Java CVE-2019-14379	SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Java CVE-2019-14439	A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Java CVE-2019-14540	A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Java CVE-2019-16335	A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Issues fixed in version 08.1.00

You can find the problems, workarounds and fixes related to this release in the issue list.

New features in version 08.1.00

New features:
- You can protect the Edit Mode, when an edit mode password is assigned or the user management is active.
- Password change for the first time login on a device
- Forward events to a syslog server over TLS
- Configurable auto-acknowledge function, when the status changes for an event
- Generate test events when configuring status configuration
- Globally Enable/Disable monitoring of the Security Status
- Start HiProvision from Industrial HiVision
- Show number of selected list entries
- When configuring event actions, you can test the action during the configuration.
- Certificates are stored in a key store for sub-domain interfaces.
- The user can now reset the icon on multiple devices to the default icon, as long as there are only devices selected.
New devices:
- Hi-SCOM BN48 and BN3049
MultiConfig™ dialogs added:
- Switching - MRP-IEEE - MVRP Configuration (HiOS)
- Switching - GARP - GMRP (HiOS)
- Switching - GARP - GVRP (HiOS)
- Switching - VLANs - Voice (Classic Software, HiOS)
- Routing - ARP - Global (Classic Software)
- Diagnostics - Email Notification - Global - Create Email Subject (HiOS)
- Diagnostics - Ports - Port-Mirroring (HiOS)
- Port Dialog: Port - Port Security (Classic Software, HiOS)
- Port Dialog: Port - Dynamic ARP Inspection (HiOS)
- Port Dialog: Port - MRP-IEEE - Configuration (HiOS)
- Port Dialog: Port - MRP-IEEE - MMRP (HiOS)
- Port Dialog: Port - MRP-IEEE - MVRP (HiOS)
- Port Dialog: Port - GARP - GMRP (HiOS)
- Port Dialog: Port - GARP - GVRP (HiOS)
- Port Dialog: Port - DHCP L2 Relay (HiOS)
- Port Dialog: Port - DHCP Server (HiOS)
- Port Dialog: Port - Profinet IO (HiOS)
MultiConfig™ dialogs modified:
- Routing - ARP - Global (HiOS, HiSecOS)
- Diagnostics - Email Notification - Global (HiOS)
- Diagnostics - Email Notification - Mail Server (HiOS)
- Port Dialog: Port - POE (Classic Software, HiOS)

Additions to the manual in version 08.1.00

The following sentence, "Industrial HiVision enters DeviceConfig_<IP-Adresse>, is changed to "Industrial HiVision enters <IP-Address> in the File Name field".
In chapter "8.2.24 Properties of a component detail", section "Generate test events" (page 301):
Ignore item 8 of the "Generate test events procedure":
'In the "Import event" dialog, verify that the table displays the event for which you wish to assign an action'.

This version has been tested with the following firmware versions:

Device	Firmware version
BAT54RAIL	8.80
BAT54RAIL-PLUS	8.80
BAT-R	9.12
BAT-F	9.12
BAT-C	2.3.8
BAT-2C	08.02.01.02
BAT450-F	9.12
BAT867-R	9.12
Bobcat	07.4.01
Dragon PTN	2.4.52
Dragon MACH4000	07.4.00
Dragon MACH4500	7.2.02
DX940-2GSFP-4TX-4RS-T1-H	4.0.0
DX1000-TS-02-H	3.1.8
EAGLE Ruggedized	HiSecOS-01.1.01
EAGLE Ruggedized	HiSecOS-01.2.00
EAGLE Ruggedized	HiSecOS-03.0.00
EAGLEONE-TX-TX	ONE-05.3.00
EAGLE20-TX-TX	SDV-05.3.02
EES25-0600	HiOS-2E-04.0.00
EESX20-0800	HiOS-2E-04.0.00
EESX30-0600	HiOS-2E-06.0.00
Gecko 4TX	01.0.01
GRS1020-8T8Z	HiOS-2S-06.0.00
GRS1020-16T9	HiOS-2S-04.1.00
HiProvision	V04.0.14
IS30	V011R021
LioN-R	V1.0.10.8-1.4
MACH 3001	3.46
MACH 3002	3.46
MACH100	L2P-09.0.12
MACH1000GE	L3P-08.0.08
MACH4000 48G	L3P-08.0.08
MACH4002-24G	L2P-09.0.08
MACH4002-24G-3X	L3P-09.0.04
Magnum 10RX	4.0.4C1
MAR1030	L2P-09.0.11
MAR1040	L2P-09.0.12
MAR1040	L3P-09.0.12
MS20-0800	L2P-08.0.04
MS20-2400	L2E-09.0.07
MS2108-2	4.06
MS30-0802	L2E-09.0.07
MS4128-5	L3P-09.0.07
MSP30-2404	HiOS-2A-07.0.00
OCTOPUS 3	HiOS-07.5.00
OCTOPUS-8M	L2P-09.0.07
OS30-001604	HiOS-2S-04.1.02
PowerMICE	L3P-08.0.08
RED25-04002T1TT	HiOS-2S-PRP-06.0.00
RS20-0400	L2E-09.0.12
RS20-0800M2	L2E-09.0.12
RS20-1600M2	L2E-09.0.12
RS20-2500M3	L2P-09.0.12
RS2-16M	9.07
RS2-TX-TX	9.07
RS30-0802	L2P-09.0.12
RS30-2402	L2P-09.0.12
RS40-0009	L2P-09.0.12
RSB20	L2B-05.3.05
RSP25-11003Z6ZT	HiOS-2S-PRP-06.0.00
RSP35-08033O6TT	HiOS-2S-06.0.00
RSPE32-24044O7T99	HiOS-3S-04.0.00
RSR20-08TP	L2P-09.0.12
RSR30-06TP-03COMBO	L2P-09.0.12

JAVA version

You can find the JAVA version used in this release (OpenJDK 8u302b08) in the following dialogs:
The JAVA use in the GUI is found in Help> About> Program Info> Systeminfo
The JAVA use in the kernal is found in Help> Kernel Info> System

Device Specific Information

Dragon PTN:
- The Dragon PTN sends SNMP V3 Traps. They are not encrypted.
- The Windows Trap Service cannot handle SNMP V3 Traps. The Windows Trap Service has to be deactivated so that Industrial HiVision receives the traps.
RSP, MSP, Eagle30:
MultiConfig™: Security - User Management - Users:
After changes to the access parameters of the device it might be necessary to change the SNMP configuration within the program:
MultiConfig™: Program Settings - SNMP Configuration
BAT 54 Rail:
- Supported firmware versions:
  - 7.xx (before 7.52): autotopology per WLAN (not per LLDP)
  - 7.52, 7.60, 8.0: autotopology per WLAN and LLDP
- Before you scan a network which is located behind a BAT you should
  - optimize the SNMP Guess List by removing unnecessary entries (Preferences - SNMP Configuration) or
  - set the SNMP Configuration manually
- Signal to Noise Ratio: the value 63 means 63dB or more
- The SNTP/NTP status will be displayed as "Warning" regardless of the actual server configuration
BAT devices:
- The BAT family of devices supports IP address configuration through HiDiscovery only. Please make sure that your management station is in the same subnet as the device before opening the "IP Configuration" dialog.
- SNMP guessing: Write access to BAT devices will be locked after five incorrect guesses.
- BAT devices configure the Management Access settings different from those defined in "Restricted management Access". Therefore, "Restricted Management Access" of BAT devices now display the "Unsecurable" value.
BAT C (Firmware version 2.3.3):
- The name cannot be set on the device
- After setting the IP parameters the device has to be rebooted
- Port Speed is always displayed as 0
MIKE:
It is possible that Industrial HiVision fails to guess the SNMP passwords of the MIKE. In that case these devices are displayed as ping devices. To correct this:
- Delete these devices completely.
- Add the SNMP-Configuration for these devices manually.
- Restart the detection of these devices.
MACH 3000:
Topology discovery with link aggregation:
If you use link aggregation with the MACH 3000, then only one connection between the two devices will be discovered because of missing LLDP information in the MACH 3000.
Workaround: Insert the second connection manually.
MACH 4000, OpenRail, PowerMICE, Octopus:
Polling of Out Load and Interface counters:
The polling interval should not be set to less than 30 seconds because that is the frequency at which the Agents update these values.
EAGLEmGuard/RR-EPL/EAGLE20:
- If you
  - use Industrial HiVision in a layer 3 network and
  - the layer 3 network is decoupled with an EAGLEmGuard/RR-EPL/EAGLE20 which is configured as default gateway,
  then increase the "Maximum number of incoming 'ping' frames (ICMP Echo Request) per second" in the Firewall dialog: Extended Settings of the EAGLEmGuard/RR-EPL/EAGLE20.
- Industrial HiVision discovers devices in the network with ping requests. With the default value of 3 pings per second the EAGLEmGuard/RR-EPL/EAGLE20 blocks all ping requests exceeding the configured value. As a result Industrial HiVision does not get an answer from some devices and cannot discover them.
- If the network is not discovered completely by the Auto-Topology the value of the "Maximum number of incoming 'ping' frames (ICMP Echo Request) per second" should be increased or the feature should be disabled.
PowerLION-24TP:
In a stacked configuration, only the data of the master will be present in Industrial HiVision.
If a switch is removed from a stack and operated as a single device, it will remember its stack id and the IP address of the master. This may lead to network problems and unexpected results in Industrial HiVision. Therefore, it is recommended to configure a new IP address and to reset its id in the web interface under Home/System/Renumbering.
Eagle20:
MultiConfig™ Load/Save and Save Support Info requires firmware 4.4.00 or higher
MACH, MS, RS, Octopus, RSR:
Autotopology: the topology cannot be detected correctly, if there are devices with identical system names.
Remedy: update to a newer firmware version or specify unique system names on the devices.
Fixed with firmware 4.2.10 (or newer) and 5.0.07 (or newer).
MACH, MS, RS, Octopus, RSR:
In some cases, the out load of a port is determined as 100% (sometimes over a longer time period). This can be fixed with firmware 5.0.07 or newer.
Meinberg:
Configuring values with SNMP results in the device savin the config file. It takes quite a while until the SNMP request is answered completely.
- Therefore the SNMP write password cannot be guessed. Please configure it under Preferences - SNMP Configuration.
- Industrial HiVision times out while setting values, but in most cases the configuration completes successfully. You can avoid the timeout if you configure the timeout value as 10s.
Unknown SNMP devices:
For devices that support the ifXTable: port numbers started with 1. This has changed: the value of the variable ifName is now the instance of the port. Therefore their connections cannot be found. To correct this please restart the auto topology.
New enable/disable FLM via MultiConfig™ function, added for Eagle One and Eagle 20.
Use MultiConfig™ on a device selected in Folder Frame or in the 'Devices' tab, in Detail Display, to access the FLM enabling/disabling function.
6k & 10k, MAX, Multilin The device MIB has changed for agent actions, e.g. firmware updates. Due to this change Industrial HiVision returns an error for devices with a firmware version earlier than 15.01.

Miscellaneous

Under unfavorable conditions (e.g. high net and/or system load) the GUI cannot connect to the service. Remedy: Restart of the GUI.
Importing files from prerelease versions is not possible.
Restoring the default font size may require a manual restart of the GUI.
If the program does not react any more: end the GUI with the task manager (HiVision.exe) and restart it. If the problem persists: restart the Industrial HiVision service.
If you have problems connecting to the Industrial HiVision Web server: delete the browser cache.
Redundant Network Management System:
You can find information on how to install Industrial HiVision on a redundant system at www.hivision.de.
Please consider the system requirements for this installation.
If you turn back the system clock the GUI may freeze. If this happens, then restart the GUI.
Connection with Subdomains:
Version 5.0 under 'Previous version' means 05.0.01 or later. It is not possible to connect with version 05.0.00
If you want to use the GUI in a Browser, then deactivate the Java Cache:
System Panel -> Java: General -> Settings: unmark the 'Keep temporary files' checkbox.
OPC UA/DA installation:
Later installation of another OPC server variant is not possible with a self extracting bundle. There is no maintenance dialog to install or de-install separate components for a self extracting bundle.
Project import from 5.X releases or older:
In rare cases, redundant connections may be displayed as forwarding (solid lines instead of dashed lines) after the project import.
Remedy: Restart the service.
Scanning IP ranges of the network has been improved and simplified. The description in the manual (References/8.4 Basics) does not yet cover the new options.
The OPC UA server of Industrial HiVision was tested with UaExpert by Unified Automation and the OPC UA Client by Prosys.
To update the display language of the Event History Timeline, restart the application after you change the display language of the GUI.
When you select objects for example, devices, ports, or connections, to configure with MultiConfig™, it is recommended that you only select objects with the following matching characteristics, Device Class, Product, Chassis, Firmware version. The reason for matching the characteristics is that MultiConfig™ only displays the common supported dialogs. Displaying only common dialogs leads to a smaller number of dialogs. A smaller number of dialogs leads to fewer number of functions available for the selected objects.
Note: With different software versions on the devices, MultiConfig™ can display dialogs which are available for the selected objects. In this case, you can configure the functions in the dialogs. However, when you configure functions on devices with different software, this can result in warning and error messages depending on the object you are configuring.
Enabling both "Determine" and "Forward Status Up" in the dialog "MultiConfig™ -> Program settings -> Container Properties" can display a warning. In this case, click the "Write" button again to complete the configuration.
In some cases, the dialog "MultiConfig™ -> Switching -> Advanced" can display a value different from the actual value on the device for the field "Frame Size". Specifing the value works as expected.
Devices which were discovered as members of the device class "Switch" are not officially supported by Industrial HiVision. Industrial HiVision has no information about the actual structure and configuration of these devices. For these devices Industrial HiVision probes a set of standard MIBs and interprets the data to the best of its ability. There is no guarantee that these devices will work correctly in Industrial HiVision.