Hi everyone, I’m a pentester and come in contact with Mendix occasionally so please be patient with my ignorance regarding Mendix details. Situation: I am currently testing a Mendix application that seems to be Version 18.104.22.168072. How did I identify this: curl -s https://<target-host>/mxclientsystem/mxui/mxui.js | grep -oP 'this.version="[0-9\.]+"' So from checking the release notes for the 8.18 branch I concluded that this Version should have multiple CVEs that have been patched in following patch releases: 8.18.16 CVE-2022-24309 XPath Constraint Vulnerability in Mendix Runtime (8.1) CVE-2021-45105 Apache Log4j Denial of Service Vulnerability (5.9) CVE-2021-44832 Apache Log4j Vulnerability via JDBC Appender (6.6) 8.18.18 CVE-2022-31257 Improper Access Control Vulnerability in Mendix (7.5) CVE-2022-27241 Information Disclosure Vulnerability in Mendix (7.5) Now before I needlessly scare the heck out my customer, I wanted to make sure I’m understanding the release/patch policy correctly: Security fixes come from installing new patch releases (i.e. they will increment the patch version, third section of the version number) There is no such thing as hotfixes that will only change the last segment of the version number when fixing security vulns Did I understand the situation correctly?
I’m not sure if your way of verifying the Mendix version is reliable, maybe it is, but you do understand correctly that there’s no such thing as hotfix releases where only the last 5-digit part of the version number changes. That’s just the (svn or whatever they use) revision part and can be ignored.
that's correct, a security fix is always in a major, minor or patch release available.
As far as I know, the last number is the built number and not really relevant for us.
Thank you gentlemen. Is this forum also frequented by Mendix team members? That is: Do I have a reasonable chance to get an “offical” reply from a team member?