MassTransit Security Bulletin

1 Star2 Stars3 Stars4 Stars5 Stars
Loading ... Loading ...
  • Product:
    MassTransit
  • Revised:
    2/14/2014
  • Reviewed:
    5/16/2011

Recently we discovered and fixed two security problems in MassTransit that may affect your server. If you have MassTransit HP, Premier, Standard or Enterprise, version 5.1 and later, keep reading. These issues do not apply to MassTransit Professional, Satellite or Application Client.

Please read the following notes to see if your configuration is affected. If it is, to resolve those issues please upgrade your server to the latest version of MassTransit or adjust the configuration as described below to eliminate the problem.

1. Passkey issue
Affected MassTransit servers: HP, Premier, Standard, Enterprise.
Affected Versions: 6.0 or newer.

Affected configuration: If you use Web Clients with email notification actions containing web links including passkeys, it is possible that MassTransit can generate duplicate passkey tokens. If this situation happens, access to files by recipients could be compromised. This applies to Mac and Windows servers.

Resolution: Upgrade to the latest MassTransit version 7.x on Windows or change your email notification actions so they do not use passkeys.

Note: The last available version of MassTransit server for Macintosh is 6.0.2. We will be glad to provide a free upgrade to the latest MassTransit 7.x for Windows, which fixes the issue and introduces many additional enhancements.

2. Active Directory issue
Affected MassTransit servers: HP, Premier, Standard, Enterprise.
Affected Versions: 5.1 or newer.

Affected Configuration: If your Windows based MassTransit server is using the MassTransit web interface with Active Directory integration, there is a configuration approach that may allow improper password handling for Web Client users. This can only happen when MassTransit is bound to Active Directory and the MassTransit Engine service uses the “NEGOTIATE AD” method to run as an Active Directory user. This defect does not apply to your server if you are not using Active Directory with MassTransit, or if the common method of using a bind user name and password are configured in MassTransitEngine.cfg.

This defect does not affect Macintosh servers.

Resolution: Upgrade to the latest MassTransit version 7.x on Windows or change your configuration so it does not use the above configuration to bind with Active Directory.

Even if you haven’t been affected by any of these issues, if you are running MassTransit HP, Premier, Standard, Enterprise, version 5.1 or newer, we still recommend you upgrade your MassTransit server to the latest version to prevent the issues from happening to gain access to the newest features and enhancements.

How to obtain the upgrades:

MassTransit 7.x can updated to the latest version of 7.x using these instructions:
http://docs.grouplogic.com/display/MassTransit/Upgrading+MassTransit+7+to+version+7.x

For MassTransit versions earlier than 7.0, follow these instructions to upgrade to 7.x (on Windows 2003 or 2008):
http://docs.grouplogic.com/display/MassTransit/Upgrading+MassTransit+5+or+6+to+version+7.x

Other notes:

If your MassTransit server is version 5.1 through 6.x you will need a new license key file in order to apply this upgrade. To obtain it, please submit your current dongle info / mtdongle.cfg file ( instructions for finding this information can be found at http://support.grouplogic.com/?p=1604 ) to fulfillment@grouplogic.com.

Feel free to contact our support team at http://support.grouplogic.com/request with any questions.

Tags: ,

Was this Knowledge Base item helpful to you?

Customer Support Survey
  1. We are always looking to improve our customer support. Please let us know if the information you found was helpful by completing this survey.
  2. This Article


  3. *
  4. Captcha
 

cforms contact form by delicious:days