Summary
Appeon is aware of the recently-disclosed security vulnerability CVE-2024-0056 relating to Microsoft.Data.SqlClient and System.Data.SqlClient.
Appeon has promptly launched an investigation. This Security Bulletin summarizes the results of our investigation as of the date designated at the bottom of this Security Bulletin.
Appeon products affected by the CVE?
- PowerBuilder 2022 R2/R3 are affected, regardless of product edition.
- InfoMaker 2022 R2/R3 are affected, regardless of product edition.
- PowerServer 2021 – 2022 R3 are affected, regardless of product edition.
- SnapDevelop 2019 R3 – 2022 R3 are affected.
- SnapObjects 3.0.x/4.x.x are affected.
Appeon does not investigate or provide security fixes for EOL versions. If you are using an EOL version of Appeon products, you also may be affected.
Appeon's investigation results?
- If a PowerBuilder client/server or InfoMaker application connects to SQL Server via the ADO.NET database driver, the underlying database driver is Microsoft.Data.SqlClient.
- If a PowerServer-deployed application connects to SQL Server, the underlying database driver is Microsoft.Data.SqlClient.
- If a C# project developed in SnapDevelop connects to SQL Server, the underlying database driver is Microsoft.Data.SqlClient.
- If a C# project that references to SnapObjects.Data.SqlServer, the underlying database driver is Microsoft.Data.SqlClient.
What you can do?
- Refer to https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056 for detailed information provided by Microsoft.
- Temporarily refrain from using the ADO.NET database driver for connecting to SQL Server for PowerBuilder and InfoMaker applications. Instead, you may use the Microsoft ODBC Driver 17 (or 18) for SQL Server or Microsoft OLE DB Driver 18 (or 19).
- For PowerServer applications that connect to SQL Server, take the following steps to update the underlying driver Microsoft.Data.SqlClient to the version recommended by Microsoft:
Step (1). Open the Web API solution of the PowerServer application in the Visual Studio or SnapDevelop IDE. Note that the solution path was configured in the PowerServer project settings.
Step (2). Right click the ServerAPIs project name of the Web API solution, select Manage NuGet Packages…., find the appropriate version of “Microsoft.Data.SqlClient”, and install it.
Step (3). Compile and run the ServerAPIs project. The deploy the updated ServerAPIs project to your various environments that need to be secure.
- For projects developed in SnapDevelop that connect to SQL Server, or projects that reference to SnapObjects.Data.SqlServer, take the following steps to update the underlying driver Microsoft.Data.SqlClient to the version recommended by Microsoft:
Step (1). Open the project in the Visual Studio or SnapDevelop IDE.
Step (2). Right click the project name, select Manage NuGet Packages…., find the appropriate version of “Microsoft.Data.SqlClient”, and install it.
Step (3). Compile, run and deploy the project.
What Appeon will do?
- Appeon has prepared a one-off version as an emergency patch for fixing the vulnerability in PowerBuilder/InfoMaker PowerServer 2022 R3 version. The instructions to download and use the one-off version are available at https://docs.appeon.com/pb/release_bulletin_for_pb/index.html. Please keep in mind that the one-off version does not undergo full QA cycle so it is potentially more risky to apply than MR or the suggested workarounds.
- Appeon plans to deliver a MR for version 2022 R3 PowerBuilder, InfoMaker, and PowerServer as soon as possible that will update the underlying driver Microsoft.Data.SqlClient to the version recommended by Microsoft.
Questions?
If any questions regarding this security bulletin, please open a support ticket on the Appeon Website:/standardsupport/newbug.