6.5.0
Platform 6.5.0 is a minor release that introduces FlowAI and Work Center. This release also includes security updates, bug fixes, and enhancements across Workflows, Workflow Engine, Configuration Manager, NSO Service Manager, and Platform infrastructure, including Cisco NSO 6.7 compatibility.
For more information on new features introduced in this release, see Platfrom 6.5 feature announcement.
6.4.1
Platform 6.4.1 is a maintenance release with security updates, bug fixes, and enhancements across Operations Manager, Studio, Configuration Manager, and Platform infrastructure. It addresses customer-reported issues and improves stability, reliability, and secure communication.
Enhancements (1)
| Component | Feature | Description |
|---|---|---|
| Configuration Manager Enterprise | Compliance plan view toggle (ENG-24014) | Changed how you switch between the default and classic view of compliance plans. Access the toggle on the Configuration Manager dashboard. |
Bug fixes (26)
| Component | Feature | Description |
|---|---|---|
| Configuration Manager Enterprise | GradeComplianceReports device scope (ENG-22461) | Fixed an issue where gradeComplianceReports graded devices outside the compliance plan. The task now only grades devices included in the plan. |
| Configuration Manager Enterprise | Golden config treeId on import (ENG-21919) | Fixed an issue where re-importing a golden config changed its treeId. The treeId is now preserved on import. |
| JSON Forms | Schema combination dropdown clear button (ENG-24062) | Removed the clear button from the schema combination dropdown to prevent users from setting a schema combination to an empty, invalid state. |
| Operations Manager | Scheduled trigger error logging (ENG-23176) | Fixed object readability in scheduled triggers error logging. |
| Operations Manager | Sidebar selection highlight (ENG-7784) | Fixed an issue where the left navigation sidebar did not update its selection highlight when switching between job filter views. The highlight now correctly reflects the active filter as you navigate. |
| Platform | Licensing timeout error (ENG-23266) | Fixed a licensing timeout error that caused license validation to fail on Red Hat systems. |
| Platform | Service startup with colon in server ID (ENG-22854) | Fixed an issue where colons in server IDs could silently prevent services from detecting each other after startup. Server IDs containing colons are now rejected with a descriptive error. |
| Projects | Project asset import for users outside account collection (ENG-23778) | Fixed an error that prevented importing some project assets when the user was not in the account collection. |
| Templates | Command template checkbox persistence (ENG-24271) | Fixed the Treat info and warning as pass checkbox in the command template UI so that it persists correctly when the template is saved. |
| Templates | Analytic template rename error message (ENG-10314) | Fixed an issue where renaming a MOP analytic template to an already-taken name returned an incorrect Operation canceled by the user error instead of the expected duplicate-name error. |
| Templates | Template disappears from folder tree on rename (ENG-24249) | Fixed a bug where renaming a command template or analytic template on a fresh page load would inconsistently cause it to disappear from the folder tree. |
| Templates | Template import schema validation (ENG-19450) | Fixed template import returning an unclear error when the submitted template was missing required fields or contained non-string values for string fields. |
| Workflow Engine | Task worker error object logging (ENG-23166) | Fixed an issue where error objects logged from within a task worker appeared as error=[ {} ] instead of their actual content. |
| Workflows | Child job task corruption on task reference delete (ENG-24148) | Fixed an issue where deleting a task reference corrupted the child job task in the workflow document. The workflow engine now supports starting a job for workflows in this state for backward compatibility. |
| Workflows | Debug mode keyboard shortcut propagation (ENG-16946) | Fixed an issue in Studio where browser keyboard shortcuts (such as Cmd+Opt+I and Cmd+R) were consumed when the workflow canvas was in debug mode. Shortcuts now propagate to the browser as expected. |
| Workflows | Debug mode scenario input save (ENG-16945) | Fixed an issue in debug mode where pasting JSON into a scenario input field and immediately pressing Cmd+S caused the pasted value to revert to null after save. |
| Workflows | Deprecated task icons on canvas reload (ENG-10247) | Fixed an issue where deprecated task icons and warnings disappeared from the workflow canvas after a page reload. |
| Workflows | Import dialog behavior on partial import success (ENG-11415) | Fixed an issue in the Studio import dialog where a partial import success left the dialog open and the page unrefreshed. The dialog now closes and the sidebar updates to reflect successfully imported items even when other files in the batch fail. |
| Workflows | Job variable null value on canvas start (ENG-18492) | Fixed an issue where users could not assign a null value to a job variable when starting a workflow from the canvas. |
| Workflows | Project builder name sort with prefix (ENG-16128) | Fixed an issue where name sorting in Project Builder incorrectly included the project prefix. |
| Workflows | Save Workflow API unknown _id handling (ENG-23356) | Fixed an issue in the save workflow API (POST /workflow_builder/workflows/save) where supplying an _id that did not exist in the database silently succeeded without persisting the workflow. The API now returns a clear error identifying the unknown _id. |
| Workflows | Unsaved changes dialog on tab close (ENG-6727) | Fixed a stale-closure bug that caused the Unsaved Changes navigation dialog to appear when closing a tab that had no unsaved edits. |
| Workflows | Workflow import with invalid Debug Mode scenario input (ENG-24105) | Fixed workflow import failures caused by invalid Debug Mode scenario input. Added validation to prevent users from setting invalid values in scenario input. |
| Studio | Workflow name truncation with dash character (ENG-7276) | Fixed an issue where workflow names containing a dash character were incorrectly truncated in the Studio tab label. |
| Transformations | Unsaved changes check overrides delete confirmation (ENG-7303) | Fixed an issue in Studio where deleting a document with unsaved changes triggered two confirmation dialogs back-to-back. |
| Inventory Manager | Gateway 4 and Gateway 5 device origin detection (ENG-23885) | Fixed device origin detection between IAG 4 and IAG 5 in MOP and Configuration Manager routing. |
Security fixes (13)
This release includes security updates that address vulnerabilities in third-party packages and platform components.
| Component | Feature | Description |
|---|---|---|
| Inventory Manager | FastURI security vulnerability (Inventory Manager) (ENG-24190) | Fixed a FastURI security vulnerability in Inventory Manager and Adapter Inventory Manager. |
| NSO Service Manager | Cross-site scripting in Quill (NSO Manager) (ENG-22488) | Resolved a cross-site scripting (XSS) vulnerability (CVE-2025-15056) by updating Quill to a secure version in app-nso_manager. |
| NSO Service Manager | Directory traversal in fast-uri (Service Management) (ENG-24069) | Resolved a Directory Traversal vulnerability (CVE-2026-6321) by updating fast-uri to a secure version in app-service_management. |
| NSO Service Manager | HTTP cleartext transmission (NSO Adapter) (ENG-18110) | Improved HTTP request handling in adapter-nso to align with secure communication best practices. |
| NSO Service Manager | Improper index validation in UUID (NSO Adapter) (ENG-23791) | Resolved a security vulnerability (CVE-2026-41907) related to improper input offset validation by updating UUID to a secure version in adapter-nso. |
| NSO Service Manager | Improper index validation in UUID (Service Management) (ENG-23792) | Resolved a security vulnerability (CVE-2026-41907) related to improper input offset validation by updating UUID to a secure version in app-service_management. |
| Platform | Directory traversal in fast-uri (itential-utils) (ENG-23883) | Updated the fast-uri dependency in itential-utils to resolve a Directory Traversal security vulnerability. |
| Platform | Directory traversal in fast-uri (itential-utils crossfunctional) (ENG-23815) | Updated the fast-uri dependency in itential-utils to resolve a Directory Traversal security vulnerability. |
| Platform | Sensitive information exposure in follow-redirects (Core) (ENG-23371) | Updated the follow-redirects dependency in Core to fix a sensitive information exposure vulnerability. |
| Platform | Sensitive information exposure in follow-redirects (itential-utils) (ENG-23374) | Updated the follow-redirects dependency in itential-utils to fix a sensitive information exposure vulnerability. |
| Platform | Use of uninitialized resource in ws (Core) (ENG-24042) | Updated the ws subdependency in Core to resolve a use-of-uninitialized-resource security vulnerability. |
| Platform | Improper index validation in UUID (Core) (ENG-23787) | Updated the uuid dependency in Core to fix an improper index validation vulnerability. |
| Workflow Engine | Redis command timeout on startup (ENG-24065) | Updated the default redis_command_timeout configuration value to fix a timeout issue that prevented the Workflow Engine API from coming online correctly at startup. |
6.4.0
Platform 6.4.0 is a minor release featuring critical security updates, performance improvements, and new capabilities across Operations Manager, Studio, and Platform infrastructure. This release addresses customer-reported issues and introduces enhancements to improve user experience and system reliability.
For an overview of the key features in this release, see the Platform 6.4.0 feature announcement.
6.3.4
Platform 6.3.4 is a maintenance release that includes critical bug fixes, security updates, and feature enhancements. This release addresses customer-reported issues to enhance platform stability and reliability.
Enhancements (8)
| Feature | Description |
|---|---|
| Asset edit details modal standardization (ENG-19875) | All “View Metadata” drawers in Studio and Lifecycle Manager are now replaced with a dialog and renamed to “Edit Details”. In the projects UI, the project navigation bar (left-hand side) and asset editor titlebar (top-right) also now consistently use this dialog for editing asset details. |
| Auto keying for project asset migration (ENG-19921) | Workflow references are updated where applicable when moving or copying assets into a project. |
| Asset more menu options update (ENG-20100) | Updated asset titlebar more menus to provide consistent and intuitive access to asset actions throughout the platform. |
| NSO 6.5 and 6.6 certification (ENG-17515) | Certified NSO Service Manager functions and NSO Adapter against NSO 6.5 and NSO 6.6, ensuring compatibility with the latest Cisco NSO versions. |
| Platform 6 index management enhancement (ENG-16284) | Enhanced index management for Platform 6 upgrades to improve database performance and reduce upgrade complexity. |
| Vault namespace header support (ENG-15973) | Implemented support for X-Vault-Namespace header for Vault integration, enabling multi-tenancy and namespace isolation. |
| NSO fetchData return limit adjustment (ENG-8574) | Adjusted NSO fetchData return limit to handle larger datasets and improve integration performance with Cisco NSO. |
| Project thumbnail file size configuration (ENG-10644) | Added configuration for project thumbnail file size in Settings to allow customization based on organizational requirements. |
Bug fixes (32)
| Feature | Description |
|---|---|
| Long workflow names in project automation references (ENG-21971) | Fixed an issue where workflows in project-based automations displayed “from undefined” instead of the project name in the automation dropdown when the workflow name was very long. |
| Lifecycle manager schema reference error (ENG-21853) | Fixed an issue where the OpenAPI specification generated by the help/openapi endpoint contained an invalid schema reference, which could cause customer scripts using the spec to fail. |
| MOP template last updated by field (ENG-21803) | Fixed issue where ‘Last Updated By’ field always displayed ‘unknown’ for MOP Command/Analytic templates. Implemented proper user tracking for template modifications. |
| Transformation search with dash characters (ENG-21768) | Resolved issue where Transformations search did not work properly for names containing dash characters. Enhanced search query parsing. |
| Workflow GBAC restrictions in global space (ENG-21621) | Fixed issue in 6.3.3 where Workflow Group-Based Access Control (GBAC) no longer restricted users in global space. Restored proper access control enforcement. |
| Operations manager automations groups display limit (ENG-21576) | Resolved issue where Operations Manager Automations Read/Write Groups only displayed the first 100 groups. Implemented proper pagination and group listing. |
| Form validation enumNames rejection (ENG-21566) | Fixed backend form validation incorrectly rejecting valid forms containing enumNames due to Ajv strict mode. Adjusted validation schema to support enumNames. |
| Query task JSON view output display (ENG-21383) | Corrected issue where Query Task Post Execution showed incorrect output when JSON View was turned off. Improved output formatting logic. |
| Validate form task JSON forms service crash (ENG-21256) | Fixed issue where Validate Form task would crash the JSON Forms service if validation failed. Implemented proper error handling and service recovery. |
| Project thumbnail upload with workflows (ENG-20828) | Resolved inability to upload project thumbnail when a workflow exists in the project. Fixed file upload validation logic. |
| LCM RunAction task hang on invalid data (ENG-20227) | Fixed issue where LCM RunAction task hung when invalid instance data was provided. Added input validation and timeout handling. |
| ValidateJsonSchema single document limitation (ENG-20193) | Resolved issue where ValidateJsonSchema task only validated a single document per schema ID. Enabled multi-document validation support. |
| Golden configuration identifier key data loss (ENG-20147) | Fixed issue where users are not given a warning when entries are dropped. |
| Golden configuration identifier key dropdown blank (ENG-20146) | Fixed issue where undefined array identifier crashes the page. |
| Golden configuration dialog crash on right-click (ENG-20145) | Fixed a bug with JSON config options throwing error when the config is empty. |
| viewData inconsistent behavior (ENG-19226) | The viewData task has been updated to improve consistency in how message and body content is parsed and rendered as HTML. |
| Workflow loading performance on P6 (ENG-18902) | Improved workflow loading performance on Platform 6 by optimizing data retrieval and rendering logic. |
| Manual trigger form crash with duplicate labels (ENG-17866) | Fixed page crash when clicking on forms containing items with same label name but different types in Manual Trigger dropdown. Enhanced form validation and conflict resolution. |
| Job deletion with automation read/write groups (ENG-16590) | Resolved issue where jobs could not be deleted when triggered by an automation with read/write groups. Corrected permission checking logic. |
| JSON form text input binding (ENG-14982) | Fixed issue where binding for text input in JSON Forms did not work correctly. Restored proper data binding functionality. |
| JSON form element ordering (ENG-4775) | Resolved issue where JSON form elements appeared out of order when previewing and in the Automation trigger view. Ensured consistent element ordering. |
| Project builder logo display (ENG-4773) | Fixed issue where Itential logo did not display correctly in Project Builder. Corrected logo asset loading. |
| JSON form builder table deletion confirmation (ENG-4712) | Added confirmation prompt when deleting tables in JSON Form Builder to prevent accidental data loss. |
| JSON form readonly field population (ENG-4653) | Resolved inability to populate readonly fields with values in JSON Forms. Enabled value assignment for readonly fields. |
| Task swap state persistence (ENG-4259) | Fixed issue where Swap Task state persisted when opening other tasks. Properly cleared task state on task change. |
| JST schema modification variable removal (ENG-3873) | Resolved issue where modifying schema of JST removed any outgoing variables set in workflow. Preserved variable assignments during schema updates. |
| Duplicate form option values (ENG-3341) | Fixed ability to create forms with duplicate values in options. Implemented duplicate value detection and validation. |
| Workflow count display accuracy (ENG-2959) | Corrected inaccurate workflow count on the Automation Studio workflow View All page. Fixed counting logic. |
| Transformation hotkey save (ENG-2950) | Resolved issue where saving transformation using hotkeys did not work. Restored keyboard shortcut functionality. |
| Child/parent workflow visualization (ENG-2946) | Fixed child/parent workflow drill down visualization issue with zoom-to-fit and constellation view. Improved canvas rendering logic. |
| JST designer task execution completion (ENG-2293) | Resolved issue where JST Designer did not complete execution of a task even when prior task produced valid output. Fixed task completion detection. |
Security fixes (9)
This release includes important security updates that address vulnerabilities in third-party packages and platform components.
| Feature | Description |
|---|---|
| Data amplification in undici (ENG-21752) | Fixed Improper Handling of Highly Compressed Data (Data Amplification) vulnerability by updating undici (SNYK-JS-UNDICI-15518068). |
| Prototype pollution in immutable (ENG-21364) | Updated immutable package to resolve Prototype Pollution vulnerability (SNYK-JS-IMMUTABLE-15423650). |
| ReDoS in ajv (JST) (ENG-20534) | Fixed ajv Regular Expression Denial of Service (ReDoS) vulnerability by upgrading to ajv@6.14.0 (SNYK-JS-AJV-15274295). |
| Resource allocation in qs (JST Designer) (ENG-20532) | Fixed Allocation of Resources Without Limits or Throttling vulnerability in qs by bumping ajv to 6.14.0 and refreshing the lockfile (SNYK-JS-QS-15268416). |
| ReDoS in ajv (IAP) (ENG-20498) | Fixed ajv Regular Expression Denial of Service (ReDoS) vulnerability by updating package (SNYK-JS-AJV-15274295). |
| Resource allocation in qs (IAP) (ENG-20475) | Upgraded qs to address Allocation of Resources Without Limits or Throttling vulnerability (SNYK-JS-QS-15268416). |
| Algorithmic complexity in minimatch (IAP) (ENG-20376) | Updated minimatch package to address Inefficient Algorithmic Complexity vulnerability (SNYK-JS-MINIMATCH-15353389). |
| ReDoS in ajv (itential-utils) (ENG-20366) | Fixed ajv Regular Expression Denial of Service (ReDoS) vulnerability by updating package (SNYK-JS-AJV-15274295). |
| Algorithmic complexity in minimatch (itential-utils) (ENG-20365) | Updated minimatch package to address Inefficient Algorithmic Complexity vulnerability (SNYK-JS-MINIMATCH-15353389). |
6.3.3
Platform 6.3.3 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (3)
| Feature | Description |
|---|---|
| Project description field (ENG-19847) | Added optional description field to project creation flows in Studio, enabling better project documentation and organization. |
| Lifecycle Management action descriptions (ENG-18926) | Enabled setting the description field for Lifecycle Management Action assets to improve asset documentation and searchability. |
| Golden configuration asset descriptions (ENG-18925) | Enabled setting the description field for golden configuration assets in Configuration Manager, enhancing configuration documentation capabilities. |
Bug fixes (22)
| Feature | Description |
|---|---|
| Asset movement from project to global (ENG-20126) | Fixed an issue where moving an asset from project to global space did not update the asset correctly. Ensured proper asset metadata and reference updates during migration. |
| Workflow import validation errors (ENG-19989) | Resolved validation errors occurring when importing workflows in Platform 6.3.2. Improved import validation logic to handle edge cases. |
| Custom application functionality (ENG-19874) | Fixed custom application not working properly in 6.3 and addressed additional issues that occurred when the application did work. Improved application initialization and runtime stability. |
| Task node deselection (ENG-19709) | Fixed an issue where the task node was automatically deselected when opening task details. Maintained selection state for improved user experience. |
| Asset duplication in projects (ENG-19549) | Resolved an issue where assets were being duplicated within projects, causing import errors in Platform 6. Implemented proper asset uniqueness validation. |
| Project performance with external references (ENG-19433) | Improved project loading and performance when large numbers of external references exist. Optimized reference resolution and caching mechanisms. |
| Project loading COLLSCANS (ENG-19332) | Fixed an issue where loading projects with many components caused spikes in database COLLSCANS leading to platform slowness. Added proper database indexes and optimized queries. |
| JSON Form data binding schema error (ENG-18622) | Resolved an issue where data binding in JSON Form gave an incorrect schema error consistently. Corrected schema validation logic. |
| Eval null value handling (ENG-18487) | Fixed an issue where the eval task incorrectly handled null values. Improved null checking and value coercion logic. |
| Child JST renaming on import (ENG-18187) | Resolved an issue where a referenced child JST was renamed upon workflow import. Preserved original JST names during import operations. |
| JST Designer user function cleanup (ENG-17989) | Fixed JST Designer failure to clean up assignments from user functions, which created irrecoverably broken JST documents. Implemented proper cleanup routines. |
| Evaluation task job variable input (ENG-17802) | Corrected an issue where the evaluation task job variable input was not functioning properly. Restored proper variable binding and evaluation. |
| AGManager adapter discovery (ENG-17775) | Fixed AGManager error on discoverAll where the automation gateway adapter could not be found. Improved adapter registration and discovery mechanisms. |
| Task summary loading state (ENG-17550) | Resolved an issue where task summary remained stuck in loading state on running workflows. Improved state management and error handling. |
| LCM special character sanitization (ENG-17240) | Fixed LCM failure to sanitize special characters when invalid regex exists in action names for workflows. Enhanced input validation and sanitization. |
| Redis TLS configuration (ENG-16926) | Resolved inability to configure Itential Platform to use TLS with Redis and Redis Sentinel. Implemented proper TLS configuration support. |
| Operations Manager job view crash (ENG-16816) | Fixed Operations Manager job view crash when viewing child iterations of cancelled jobs or jobs without valid job object values. Added proper null checking and error handling. |
| JST import from project (ENG-15667) | Resolved an issue where automation and JSON Form could not be imported if using a JST from a project. Fixed cross-scope JST reference resolution. |
| Legacy forms export/import (ENG-15611) | Fixed an issue in 23.2 UAT where legacy forms failed to export/import. Ensured backward compatibility for form migration. |
| renderJsonSchema binding schema (ENG-13749) | Fixed the bindingSchema parameter in the renderJsonSchema task that was not working correctly. Restored proper schema binding functionality. |
| JSON Form field dependency update (ENG-12016) | Resolved an issue where a JSON Form with field dependency did not update the selected field properly. Improved dependency tracking and field updates. |
| JST Designer duplicate schema IDs (ENG-11207) | Fixed JST Designer not warning users about duplicate schema $id values, which allowed saves but caused misbehavior. Implemented duplicate ID detection and validation. |
Security fixes (11)
This release includes important security updates that address vulnerabilities in third-party packages and platform components.
| Feature | Description |
|---|---|
| ReDoS in ajv (NSO adapter) (ENG-19908) | Updated ajv package in NSO adapter to resolve a regular expression denial of service (ReDoS) vulnerability. Enhanced regex validation patterns. |
| ReDoS in minimatch (NSO adapter) (ENG-19907) | Updated minimatch package in NSO adapter to address a ReDoS vulnerability. Improved pattern matching performance. |
| Prototype pollution in lodash (service management) (ENG-19905) | Updated lodash package in app-service_management to resolve prototype pollution vulnerability. Enhanced object property validation. |
| ReDoS in ajv (service management) (ENG-19903) | Updated ajv package in app-service_management to address a ReDoS vulnerability. Improved schema validation performance. |
| Prototype pollution in lodash (NSO Manager) (ENG-19899) | Updated lodash package in app-nso_manager to resolve prototype pollution vulnerability. Implemented proper input sanitization. |
| ReDoS in ajv (NSO Manager) (ENG-19898) | Updated ajv package in app-nso_manager to address a ReDoS vulnerability. Enhanced validation efficiency. |
| ReDoS in minimatch (NSO Manager) (ENG-19897) | Updated minimatch package in app-nso_manager to resolve a ReDoS vulnerability. Improved glob pattern handling. |
| Resource allocation in axios (NSO Manager 2023.2) (ENG-19473) | Updated axios package to address allocation of resources without limits or throttling vulnerability. Implemented proper request throttling. |
| Prototype pollution in axios (NSO Manager) (ENG-19472) | Updated axios package in app-nso_manager to resolve prototype pollution vulnerability. Enhanced HTTP request validation. |
| Prototype pollution in csvtojson (ENG-16644) | Updated csvtojson package to address prototype pollution vulnerability. Improved CSV parsing security. |
| Predictable value range in form-data (NSO Manager) (ENG-15022) | Updated form-data package to address predictable value range from previous values vulnerability. Enhanced boundary generation randomness. |
6.3.2
Platform 6.3.2 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (5)
| Feature | Description |
|---|---|
| Canvas Debug Mode UI Updates (ENG-18749) | Updated Canvas Debug Mode color scheme and icon design in both Studio and Operations Manager for improved visibility and user experience. |
| MOP Template Description Support (ENG-18502) | Enabled setting descriptions for Command Templates and Analytic Templates during asset creation in projects, improving documentation capabilities. |
| NSO 6.5+ Transaction Comments (ENG-18189) | Added support for NSO 6.5+ transaction comments (set_trans_comment) to enhance integration capabilities with Cisco NSO. |
| Principal Caching Enhancements (ENG-18680) | Implemented principal caching security improvements to enhance authentication performance and security posture. |
| X-Forwarded-For Header Logging (ENG-16748) | Added X-Forwarded-For header logging in Platform Webserver logs to improve request tracing and security auditing. |
Bug fixes (36)
| Feature | Description |
|---|---|
| LCM runAction Task Recursion (ENG-19162) | Fixed issue where using LCM’s runAction task in a workflow caused discover references to infinitely recurse, crashing Studio. Improved task reference handling to prevent infinite loops. |
| Date Range Filter Crash (ENG-19075) | Resolved Operations Manager crash caused by invalid input in Date Range Filter. Enhanced input validation to prevent system crashes. |
| Workflow Engine Scheduler Race Condition (ENG-19016) | Fixed race condition in Workflow Engine scheduler that could cause timing-related execution issues. Improved thread safety and synchronization. |
| Run Windows Static Time Entries (ENG-19004) | Restored functionality for static time entries in Run Windows that were non-functional in version 6.3.1. |
| Radix Argument Error (ENG-18970) | Fixed production error “toString() radix argument must be between 2 and 36” by implementing proper input validation for number conversion operations. |
| Large File Import Size Limitation (ENG-18953) | Addressed issues with moving assets inside folders or importing large project files due to 15MB size limitation. Improved handling for large file operations. |
| Zoom to Selection Context Menu (ENG-18861) | Restored missing ‘Zoom to Selection’ option in task context menu on Operations Manager canvas. |
| Zoom to Selection Centering (ENG-18859, ENG-16346) | Fixed issue where ‘Zoom to Selection’ feature did not properly center the selected items on canvas in both Studio and Operations Manager. |
| IAP UI Login Performance (ENG-18707) | Resolved slow login performance issue inItential Platform UI that persisted after upgrade to 6.3.0. Optimized authentication workflow for improved response times. |
| MOP Template Metadata Dialog (ENG-18501) | Fixed issue where clicking the save button on metadata dialog for MOP Command Template or Analytic Template in projects caused import failures. |
| MOP Template Description Export (ENG-18500) | Resolved issue where descriptions for MOP Command Templates and Analytic Templates were not included during project export. |
| Workflow Description Persistence (ENG-18497) | Fixed issue where workflow description set during asset creation did not persist, and description field was missing in global space. |
| Transformation Extract Output (ENG-18486) | Corrected issue where Transformation task did not properly set Extract Output when outgoing schemas were modified. Ensured proper output mapping. |
| Workflow Promotion Issues (ENG-18475) | Fixed issue where workflows were missing after promoting a project from development to staging environment. Improved project promotion reliability. |
| Studio Task Palette Filter (ENG-18463) | Resolved task palette filter misbehavior when palette was displayed in wide mode. Improved filter behavior across different display configurations. |
| Generate Example Inputs Data Loss (ENG-18405) | Fixed issue where clicking “Generate Example Inputs” button wiped existing user data. Implemented proper data preservation logic. |
| Project Folder Creation (ENG-18401) | Resolved inability to create folders within projects. Restored folder creation functionality. |
| NSO 6.5+ Host Header Validation (ENG-18156) | Improved handling of HTTP 400 errors caused by strict Host header validation in NSO 6.5+. Enhanced compatibility with newer NSO versions. |
| Studio Canvas Task Corruption (ENG-17868) | Fixed race condition that could place corrupted tasks on Studio canvas. Improved task placement synchronization. |
| Workflow Start Error State (ENG-17841) | Resolved error state occurring on workflow Start node when variables were empty. Improved empty variable handling. |
| SLA Duration Input Validation (ENG-17838) | Fixed issue where duration input in workflow’s SLA/Pre-Automation Fields broke on invalid inputs. Added proper input validation. |
| JSON Forms Yang Widget Rendering (ENG-17639) | Resolved rendering failures for JSON Forms utilizing Yang Widget. Ensured proper widget initialization and display. |
| Auth Methods Access Handling (ENG-16755) | Fixed improper failure behavior when attempting to access authentication methods without proper permissions. Improved error handling and messaging. |
| JSON Form Builder Default Value (ENG-16304) | Fixed inability to set default value of 0 in number fields within JSON Form Builder. Corrected value validation logic. |
| Event Listener Job Multi-Cluster (ENG-15292) | Resolved failures of eventListenerJob task in multi-IAP clusters depending on number ofItential Platform instances. Improved cluster-aware task execution. |
| Command Template Regex in Transformation (ENG-14421) | Fixed production issue with command template regex processing in transformations. Improved regex handling and validation. |
| Run Templates Diff Task (ENG-13661) | Addressed issues preventing proper execution of Run Templates Diff task. Restored full task functionality. |
| Child Job Data Inconsistency (ENG-12562) | Fixed inconsistent data display between canvas and Job Details view for P6 child jobs. Ensured consistent data representation. |
| JST Schema Property Names (ENG-12304) | Resolved JST failure when schema property names contained the # character. Improved special character handling in schema properties. |
| JST Step Context Order (ENG-12294) | Fixed JST errors occurring when step context order did not match data flow. Improved context resolution logic. |
| JST Designer Infer Functionality (ENG-11251) | Resolved inconsistencies in JST Designer infer functionality including addition of empty "" property and data type mismatches. Improved schema inference accuracy. |
| Transformation Corruption (ENG-10647) | Fixed production issue where transformations became corrupted and non-functional. Implemented safeguards against transformation corruption. |
| Integration Thread Count Limit (ENG-9078) | Removed maximum threshold for IAP_INTEGRATION_THREAD_COUNT configuration to allow proper scaling for high-throughput scenarios. |
| Schema Combination Option Renaming (ENG-7533) | Fixed issue where renaming an option in a schema combination cleared all added fields for that option. Preserved field data during rename operations. |
| Transformation Canvas Scrollbar (ENG-7413) | Resolved production issue where transformation canvas scrollbar was not viewable. Improved UI layout and scrollbar visibility. |
| Transformation Function Closure (ENG-7269) | Fixed issue where closing a function while parent transformation was open would offset transitions. Improved state management for nested transformations. |
Security fixes (5)
This release includes important security updates that address vulnerabilities in third-party packages and platform components.
| Feature | Description |
|---|---|
| Prototype Pollution in axios (ENG-19229) | Updated axios package in itential-utils to resolve prototype pollution vulnerability. Enhanced input validation to prevent prototype chain manipulation. |
| Arbitrary Code Injection in jsonpath (ENG-19223) | Updated jsonpath package to address arbitrary code injection vulnerability. Implemented proper input sanitization for JSONPath expressions. |
| Node.js Version Upgrade (ENG-18855) | Upgraded Node.js versions in Platform Image to address security vulnerabilities and improve runtime security posture. |
| XSS in @remix-run/router (ENG-18425) | Updated @remix-run/router package to resolve Cross-site Scripting (XSS) vulnerability. Enhanced input sanitization in routing components. |
| Incomplete Filtering in validator (ENG-17677) | Updated validator package to address incomplete filtering of special elements vulnerability. Improved input validation and sanitization. |
6.3.1
Platform 6.3.1 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (1)
| Improvement | Description |
|---|---|
| Workflow Engine Schema Validation (ENG-18679) | Fixed invalid JSON schemas in Workflow Engine that were causing error-level logging messages during platform startup, improving system diagnostics and reducing log noise. |
Bug fixes (12)
| Feature | Description |
|---|---|
| API Token Authentication (ENG-18885) | • Fixed issue where API tokens and service accounts were incorrectly returning 403 Forbidden errors• Restored proper authentication for token-based API access• Resolved authentication failures impacting automated integrations and service accounts |
| JSON Forms Dynamic Dropdowns (ENG-18508) | • Fixed issue where JSON Forms with dynamic dropdowns displayed “undefined” when opening the dropdown• Resolved discrepancy between successful API call in form settings and failed runtime display• Ensured proper data population for dynamic POST request dropdowns |
| Job Variable Handling (ENG-18151) | • Fixed job error “Cannot destructure property ‘location’ of ‘_0x2f4fa8’ as it is undefined”• Improved handling of missing job variables in push to array tasks• Addressed sub-optimal missing variable behavior causing job failures |
| Code Editor Component (ENG-18068) | • Fixed race condition in BackgroundTokenizer causing “Cannot read properties of null (reading ‘getLength’)” errors• Resolved issue where code editor component attempted to access document properties after unmounting• Improved editor component lifecycle management |
| OAuth Client Visibility (ENG-17392) | • Fixed issue where OAuth Client creation option remained visible when ITENTIAL_ADMIN_AUTH_PAGES_ENABLED environment variable was set to false• Ensured proper UI behavior for Cloud customers managing service accounts through Hub interface• Aligned interface options with environment variable configuration |
| OAuth2 Integration Models (ENG-16320) | • Fixed validation failure when creating OAuth2-capable Integration Models following documentation examples• Resolved issues preventing proper OAuth2 authentication configuration• Ensured compatibility with OAuth2-enabled API integrations |
| JST Schema Editor (ENG-12011) | • Fixed JST Designer Schema Editor errors occurring when property names contained forward slash (/) characters with incorrect types• Resolved validation errors in betterAjv.js library when processing properties with special characters• Restored proper save button functionality in schema editor |
| Masked Job Variables (ENG-11192) | • Fixed issue where renaming masked job variables left orphaned decorator entries in workflows• Resolved problem where old variable names appeared as masked in Operations Manager despite no longer being referenced• Ensured decorator array properly updates when job variable names change |
| JST Pointer Connections (ENG-10280) | • Fixed issue where JST pointers did not connect as expected when building map functions• Improved pointer behavior and connection logic in transformation designer• Enhanced user experience when creating complex transformations |
| JST Nested Functions Import (ENG-10021) | • Fixed issue where JSTs with nested functions imported incorrectly• Resolved ID conflict handling during function flattening process• Ensured proper reference resolution when moving nested functions to root level |
| Transformation Scoping (ENG-8392) | • Fixed incorrect scoping when creating transformations directly from child job task panel in unsaved workflows within projects• Resolved URL routing issue that caused loss of unsaved workflow changes• Ensured transformations are properly scoped to their containing project |
| Transformation Comment Timestamps (ENG-6498) | • Fixed issue where comments on transformations displayed dates one month earlier than actual creation date• Corrected date formatting logic for transformation comment timestamps• Ensured accurate timestamp display for all transformation comments |
Security fixes (1)
Platform 6.3.1 includes important security updates that address vulnerabilities in third-party packages.
| Feature | Description |
|---|---|
| Out-of-bounds write vulnerability (ENG-18428) | Updated gnupg2/gpgv package to resolve the CWE-787 Out-of-bounds Write vulnerability (CVSS Score: 7.0). |
6.3.0
Itential Platform 6.3.0 is a minor release that includes Inventory Manager integration, Automation Studio enhancements, performance improvements, security updates, and critical bug fixes. This release addresses customer-reported issues and enhances platform stability and usability.
For an overview of the highlights and key features in this release, see the Platform 6.3.0 feature announcement.
6.2.0
Platform 6.2.0 is a minor release that introduces Canvas Mock mode, along with bug fixes and security updates.
For an overview of the highlights and key features in this release, see the Platform 6.2.0 feature announcement.
Enhancements (8)
| Feature | Description |
|---|---|
| Canvas mock data validation (ENG-13565) | Added mock data validation to verify that test data conforms to workflow requirements before execution. The feature provides visual feedback when mock data requires updates, such as when tasks or transitions are missing or when schema mismatches occur. |
| Operations Manager failure iconography for tasks (ENG-13432) | Updated task icons to support failure iconography in Operations Manager for query and manual tasks. |
| JSON-formatted logging API support (ENG-15618) | Added support for JSON-formatted logging and updated the logging API to align with the HLD specification, including support for message and context objects. |
| Relocatable RPM installation support (ENG-15941, ENG-17185) | Added support for relocatable RPM-based installation into custom directories using the —relocate flag. Multiple custom service directories can be specified with a comma-delimited list in the service_directory configuration property. |
| Service Manager RPM SHA256 checksums (ENG-16405) | Added SHA256 checksums for Service Manager 6 RPM packages on both x86_64 and ARM64 architectures to verify package integrity and ensure they haven’t been tampered with. |
| Automation Triggers formData wrapping label (ENG-16440) | Updated the formData wrapping option in Automation Triggers to use clearer, feature-focused language. The term “legacy” has been removed from labels and tooltips. |
| Docker image sudo configuration removal (ENG-16454) | Removed sudo configuration from Docker images as it is no longer needed for the TemplateBuilder jail. |
| Workflow selection area name display (ENG-16660) | Expanded the workflow selection area to display more of the workflow’s name. |
For more information about our highlighted feature improvements for this release, see Platform 6.2 Feature Release Announcement.
Bug fixes (55)
| Feature | Description |
|---|---|
| Operations Manager auto-work reliability (ENG-2675) | Improved the reliability of the auto work feature in Operations Manager. |
| Automatic integration model validation on upload (ENG-2939) | Added automatic integration model validation on upload to support OpenAPI specifications like Netbox. |
| JST canvas live preview error styling (ENG-3382) | Corrected the styling and removal of live preview errors in JST canvas. |
| Lifecycle Manager Resource Instance defaults (ENG-3699) | Fixed an issue where sensible defaults weren’t being provided to new Resource Instance forms in Lifecycle Manager, which caused save and modification failures. |
| Show JSON Form task slash in form name (ENG-4761) | Resolved an issue where the Show JSON Form task failed when slashes were present in the form name. |
| Applications submenu missing from Studio (ENG-5851) | Fixed an issue where the “Applications” submenu was missing from Automation Studio. |
| JSON Form import name with parentheses (ENG-6243) | Fixed a bug where importing a JSON Form with a name containing text in parentheses caused the system to append “NaN)” to the name, leading to duplicate forms with incorrect names. |
| Search palette canvas styling when closed (ENG-6600) | Prevented the search styling from activating when the search palette is not open in canvas. |
| isError variable exclusion from input schema (ENG-7171) | Added a check to exclude variables with the isError flag from the input schema while maintaining them in the output schema. |
| Run window job variable schema regeneration (ENG-7284) | Fixed a schema regeneration bug that occurred when disabling the run window with a job variable. |
| Operations Manager missing form graceful handling (ENG-7412) | Missing forms are now gracefully handled in Operations Manager manual tasks. |
| LCM action pre-JST dollar sign encoding (ENG-7789) | Fixed a Lifecycle Manager action pre-JST encoding bug where dollar sign ($) characters in workflow schemas appeared as “2”. |
| Job description search filter trailing characters (ENG-7957) | Updated the job description search filter to preserve trailing dots and zeros in search queries. |
| JSON Form state sharing between tabs (ENG-7969) | Resolved an issue where switching between different JSON forms in separate tabs caused form state to be incorrectly shared, leading to dropdown option changes in one form appearing in another. |
| Broker logging for adapter exclusion and device lookup (ENG-7999, ENG-13934) | Enhanced broker logging to provide better diagnostics when adapters are excluded, devices cannot be found during command execution, or when communicating with Gateway over the device broker. |
| Project import duplicate ID detection (ENG-8052, ENG-8066) | Fixed project import issues including duplicate project ID detection and preventing multiple copies from being created when “import” is clicked too quickly. |
| Task deletion transition cleanup (ENG-8465, ENG-8490) | Improved task deletion behavior to only remove transitions to and from the deleted task and fixed validation errors that occurred when deleting tasks referenced in run window schedules or used as job references. |
| updateForm API stale data return (ENG-8550) | Fixed the updateForm API to return updated data instead of stale data. |
| Unsaved changes dialog on workflow navigation (ENG-9350) | Improved the unsaved changes dialog interaction during workflow navigation. |
| LCM special character sanitization in action names (ENG-9431) | Lifecycle Manager now sanitizes special characters (&, +) in action names for workflows. Previously, it would fail to create the workflow. |
| Workflow created date typo fix (ENG-9839) | Fixed a typo that caused incorrect created dates for new workflows in projects. |
| Integration Engine model resolution performance (ENG-9902) | Fixed performance issues in the Integration Engine that caused extended processing times when resolving integration models. |
| Add Asset To Project continue button state (ENG-9906) | The “Add Asset To Project” continue button now properly disables when the project selection is cleared. |
| Task Palette canvas click block when closed (ENG-10228) | Fixed an issue where the Task Palette blocked clicking on canvas when closed. |
| RPM directory ownership correction (ENG-10282) | RPMs are now bundled with all directories owned by itential, correcting directory ownership. |
| Automation workflow dropdown componentId update (ENG-10378) | Selecting a new workflow in the dropdown of an automation now correctly updates both componentId and componentName in the database. |
| Manual Adapter ID entry in Studio (ENG-10417) | Fixed Manual Entry of task Adapter IDs within Automation Studio, which was preventing users from entering Adapter IDs that are not currently present. |
| Child job orphaned JST canvas crash (ENG-10656) | Resolved an issue where child jobs with references to orphaned or deleted JSTs would crash the canvas UI when viewing the child job’s properties. |
| Automation group selection pagination limit (ENG-10752) | Fixed pagination limits for group selection in automation properties to support more than 100 groups. |
| NPM artifact internal file inclusion (ENG-10955) | Fixed an issue where internal files were incorrectly included with NPM artifacts. |
| LCM action execution navigation (ENG-11413) | Resolved an issue where opening a Lifecycle Manager (LCM) action execution from workflow tasks was not navigating correctly. |
| Task documentation links to 2023.2 (ENG-11433) | Updated task documentation links to point to 2023.2 until Platform 6 documentation links are stable. |
| Studio git group-based project access (ENG-11482) | Enhanced the git permissions verification system in Automation Studio to properly support group-based project access, ensuring users with group membership have appropriate access to git operations. |
| LCM resource model workflow identifier string type (ENG-11709) | Added string type support to the workflow identifier in the resource model JSON schema, allowing imported LCM models with missing Action workflows to be modified. |
| Job document null variable migration crash (ENG-12302) | Fixed an issue where incoming variable objects in jobs that were set to null would crash Workflow Engine on startup while attempting to migrate job documents. |
| Integration TLS settings on token retrieval (ENG-12883) | Fixed an issue where integrations were not respecting TLS settings when a token retrieval step was configured. |
| Asset JSON export with unsaved changes blob (ENG-12946) | Fixed a bug where exporting an asset as JSON would display the exported blob if the workflow had unsaved changes. |
| Syslog transport error handler (ENG-13718) | Added an error handler to the syslog transport to prevent application crashes when the transport encounters errors. |
| Broker logging for excluded adapters and devices (ENG-13934) | Enhanced broker logging to provide better diagnostics when adapters are excluded or devices cannot be found during command execution. |
| Evaluation task strictTypes option (ENG-14609) | Added a “strictTypes” option to the evaluation task that skips all operand type inference when evaluating operand values, resolving comparison issues between numeric and non-numeric strings. |
| Config Manager invalid configuration crash (ENG-14934) | Configuration Manager no longer crashes when invalid configuration is provided. |
| Config Manager manual tasks in build (ENG-15154) | Configuration Manager manual tasks are now included in the build and can be successfully executed. |
| Loop transition validation in workflow engine (ENG-15804) | Added loop transition validation to the backend workflow engine to prevent invalid transitions from inside a loop to outside of a loop. |
| Jinja2 template newline JSON parse error (ENG-15926) | Fixed Jinja2 template result JSON parsing errors that occurred when newlines were present. |
| Project import asset reference conflict errors (ENG-16090, ENG-16401, ENG-17319) | Improved project import error handling including clearer error messages for asset reference conflicts, graceful handling of missing LCM resource references with continue/cancel options, and fixed race conditions when multiple workflows reference non-existent user accounts. |
| Rename failure UI revert to original name (ENG-16261) | Ensured that when a rename operation fails (e.g., due to duplicate names), the UI reverts to the original name and displays an appropriate error message. |
| Project iid=0 URL blank page fix (ENG-16377) | Fixed a bug where opening a project with iid=0 in the URL showed a blank page instead of redirecting to the first available asset. |
| NSO adapter getDevicesFiltered compliance fix (ENG-16459) | Fixed an issue in adapter-nso where getDevicesFiltered failed to return devices, causing device loading errors in Compliance Plans. |
| Automation import duplicate trigger fix (ENG-16989) | Fixed an issue where importing an automation that already exists would duplicate triggers. |
| Dead process checker service ping suppression (ENG-16994) | Stopped unnecessary service ping packets from being sent when the dead process checker is disabled. |
| FIPS-compliant SSH key algorithms in NSO adapter (ENG-17044) | Added support for all FIPS-compliant SSH key algorithms in the NSO adapter, resolving connection failures on RHEL systems running in FIPS mode. Updated underlying SSH libraries to ensure compatibility without relying on non-approved keys like ssh-ed25519. |
| Render JSON Schema form display fix (ENG-17274) | Fixed an issue where render JSON Schema wouldn’t display the form. |
| Manual trigger form pre-populated data display (ENG-17347) | Fixed manual trigger forms not displaying pre-populated data when clicking “Run Now” and restored “Save and Run” functionality to immediately execute jobs instead of opening the run window. |
| AG Manager configuration on cluster restart (ENG-17458, ENG-17558) | Improved AG Manager configuration handling duringItential Platform cluster restarts. AG Manager now self-manages its configuration setup on application start, and Core excludes AG Manager from its initial configuration broadcast to prevent temporary loss of methods. |
| phui files restore for dynamic forms (ENG-17596) | Re-added missing phui and supporting files to restore dynamic form functionality. |
Security fixes (2)
| Feature | Description |
|---|---|
| jws cryptographic signature verification (ENG-17553) | Updated the jws dependency to resolve an improper verification of cryptographic signature vulnerability. |
| xml2js security update in NSO adapter (ENG-17694) | Upgraded xml2js to v0.6.0 in adapter-nso, resolving parsing issues and security vulnerabilities while improving overall stability. |
6.1.2
Platform 6.1.2 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (3)
| Feature | Description |
|---|---|
| Canvas Debug Mode UI enhancements (ENG-16048, ENG-16050, ENG-16055, ENG-16056) | Improved Canvas Debug Mode usability with UI enhancements including renaming the “Mock Data” tab to “Mocked Tasks”, relocating the delete scenario button, better indication of required fields, and clearer messaging for failure transition outputs. |
| AG Manager Redis-based configuration storage (ENG-16182) | AG Manager now uses Redis-based configuration storage for automatic cluster-wide synchronization. For more information, see Automatic discovery in Gateway. |
| Mock Data failure transition output display (ENG-16456) | Updated the failure transition type view in the Mock Data dialog to display “output is null” for improved user experience. |
Bug fixes (18)
| Feature | Description |
|---|---|
| Manual tasks in MOP templates and Form Builder (ENG-16710) | Restored functionality for manual tasks in MOP templates and Form Builder. |
| Forms blocked by failed jQuery query calls (ENG-16481) | Resolved issue where forms were blocked by failed query calls. Forms now execute successfully within workflows despite jQuery dependency issues. |
| Integration Model OpenAPI 3.0.4 rejection (ENG-16268) | Updated the Integration Model import process to reject OpenAPI 3.0.4 models, preventing compatibility issues. Integration Models without authentication now work as expected. |
| Template Builder without tmp directory access (ENG-16175) | Template Builder now operates without requiring access to the /tmp/iap_python_jail directory or sudo chroot access to run Jinja2 templates, enabling functionality in STIG’ed and FIPS-enabled environments. |
| Asset tab workflow drag to childJob task (ENG-15842) | Enabled dragging workflows from the Asset tab to automatically create childJob tasks with properly populated incoming variables based on the workflow’s input schema. |
| Operations Manager GBAC automation import (ENG-15672) | Fixed import issue in Operations Manager where Automations with GBAC groups that don’t exist on the target system would import but remain inaccessible. Automations are now properly visible after import. |
| Save and Run button trigger execution (ENG-15306) | Corrected the ‘Save and Run’ button functionality to properly execute triggers after saving. |
| Ops Manager excessive myTtl API calls (ENG-15201) | Eliminated excessive API calls to /myTtl from Operations Manager. |
| Workflow rename metadata UI display (ENG-10398) | Fixed issue where renaming a workflow from the metadata would prevent the UI from displaying tasks and connections in Automation Studio. |
| Service discovery index creation race condition (ENG-9934) | Resolved race condition in service discovery during index creation in high availability environments. |
| Integration instance configurable timeout (ENG-8982) | Added support for configurable timeout values on integration instances, restoring timeout functionality. |
| Studio engineer/operator role unauthorized error (ENG-7332) | Users with default “engineer” and “operator” roles no longer see unauthorized access error messages on the Studio landing page. |
| Recent Tasks palette on workflow open (ENG-6662) | Resolved issue where the Recent Tasks palette failed to populate when opening a workflow. |
| Project Builder sort page position (ENG-4949) | Fixed sorting in Project Builder to maintain current page position after sorting and implement case-insensitive alphabetical ordering. |
| JST ID search crash in Studio collections (ENG-4110) | Corrected issue where searching for a JST by ID in the Studio collections dialog caused the Itential Platform UI to crash. Search now functions as expected. |
| Job variable read-only in reference view mode (ENG-3183) | Job variables can no longer be modified when a user is in reference view mode. |
| Project asset naming and linking in search (ENG-2894) | Corrected naming convention for project assets in system search results and fixed linking to project assets. |
| Project asset search special character escaping (ENG-2890) | Implemented regex expression to properly escape special characters when searching for workflows in Studio. |
Security fixes (5)
| Feature | Description |
|---|---|
| Multiple Snyk vulnerabilities by upgrading dependencies… (ENG-13145, ENG-13147, ENG-16416, ENG-16642, ENG-16656, ENG-16657, ENG-16658, ENG-16673, ENG-16677) | Resolved multiple Snyk vulnerabilities by upgrading dependencies across coreItential Platform components, adapters, and applications. |
| Operations Manager automation XSS fix (ENG-15651, ENG-15652, ENG-15653, ENG-15750, ENG-15751) | Fixed DOM-based XSS vulnerabilities in Operations Manager automation interface, DeviceGroup Titlebar component, and SVG rendering. Implemented URL sanitization in useUserGroupedAppsQuery.jsx. |
| URL component Open Redirect sanitization (ENG-15654) | Implemented URL component sanitization to resolve Open Redirect vulnerability in src/common/utils.js. |
| axios resource allocation vulnerability (ENG-15657, ENG-15676) | Updated axios to version 1.12.2 to address resource allocation vulnerability. |
| Path traversal vulnerability in itential-utils (ENG-15669, ENG-16310) | Resolved path traversal vulnerabilities by enhancing file path validation in itential-utils. |
6.1.1
Platform 6.1.1 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (12)
This release introduces the following enhancements to the Itential Platform.
| Feature | Description |
|---|---|
| Resource discovery unit tests (ENG-9617) | Added unit tests to resource-discovery list.test.js and validate.test.js. |
| Unused files and dependencies removal (ENG-10705) | Removed all unused files, code, and dependencies in Platform 6. |
| Child job variable masking (ENG-11320) | Updated the Child Job task to support masking of incoming and outgoing variables. |
| Transformation task variable masking (ENG-11321) | All input and output variables configured on a Transformation task are now individually maskable. |
| Task execution actor type restriction (ENG-11352) | Added support for restricting task execution based on actor type. Implemented this functionality for Studio’s getProject method. |
| Redis initial connection timeout config (ENG-11965) | Added a configurable timeout parameter for initial Redis connection during Platform startup. |
| JSON Forms JST dependency removal (ENG-12858) | Removed JSON Forms dependency on the JST library by using HTTP API calls to retrieve and run transformations in dynamic dropdowns. |
| Workflow Engine task worker rate limiting (ENG-13929) | Added rate limiting to the Workflow Engine task worker to improve system stability under high load. |
| TLS version configuration support (ENG-14617) | Added support for configuring minimum and maximum TLS versions (including TLS 1.3) used by theItential Platform web server. |
| Canvas transition color accessibility (ENG-14860) | Updated Success and Loop transition line colors in Canvas to meet accessibility standards. |
| BullMQ shutdown cleanup (ENG-14995) | Configured BullMQ cleanup on shutdown to improve resource management. |
| Web server total_time_ms log field (ENG-15813) | Added total_time_ms field to webserver.log, which measures request-to-response time in milliseconds. |
Bug fixes (27)
Platform 6.1.1 release includes fixes for potential bugs and issues detected in a controlled testing environment before making the software available.
| Feature | Description |
|---|---|
| Studio search with special characters in names (ENG-2571) | Fixed a search issue that prevented templates and transformations containing special characters (e.g., ‘*’) from being found in the Project builder. |
| Unusable shortcuts for transformations within projects (ENG-2891) | Removed unusable shortcuts for transformations within projects. |
| Canvas controls cut off in project editor (ENG-3420) | Fixed an issue where Canvas controls on a transformation were partially cut off when the function tab bar was opened in the Projects editor. |
| JSON Form file upload size error message (ENG-4769) | Improved the error message displayed when uploading files via JSON Form that exceed the maximum size limit. |
| Workflow group with project assets restriction (ENG-4774) | Fixed an issue that incorrectly allowed users to create Workflow Groups with Project assets. |
| Studio read-only banner accuracy (ENG-5403) | The read-only banner now displays only when users truly have read-only access to projects. |
| Device count failure handling (ENG-8269) | Fixed an issue that caused device counts to fail when devices couldn’t be found, and resolved cases where device counts of 0 were not recorded. |
| Integration instance log settings (ENG-8932) | Fixed Integration Instances to correctly refer to their individual log settings rather than the Platform-level log configuration when logging request activity. |
| Compliance report error tooltip (ENG-9267) | Added a tooltip to display quick error messages for items with ‘error’ status in compliance reports. |
| Create group API role assignment (ENG-9372) | Fixed an issue where groups and roles added to a custom group via the create group API were not properly reflected on users in the new group. |
| Health API Vault status check (ENG-9451) | Fixed invalid healthcheck in the Health API to ensure accurate Vault status reporting at the /health/status endpoint. |
| Integration model conversion error handling (ENG-9559) | Fixed an issue where Integration Models that errored during conversion caused subsequent Integration Models to fail to load into the platform. |
| iapGetAdapterQueue debug task (ENG-10281) | Added iapGetAdapterQueue task to improve debugging when the automation gateway adapter produces TimeoutOverflowWarning errors with throttling enabled. |
| JST incoming/outgoing schema issues (ENG-10352) | Fixed multiple JST issues related to special characters in schema $id, property names, and function names that could prevent assignments from being drawn or cause JST runtime failures. Also improved error visibility in the schema editor and added notifications for invalid assignments. |
| Project import createdBy field failure (ENG-10364) | Fixed an issue where projects containing workflows with a createdBy field would fail to import by removing this field during import. |
| Task worker shutdown scheduled task impact (ENG-10795) | Fixed an issue where stopping the task worker affected the ability to handle scheduled tasks until the instance was restarted. |
| Transformation internal function backspace delete (ENG-10848) | Fixed an issue where transformation internal functions disappeared when pressing backspace. |
| JST if-else conditional path evaluation (ENG-11148) | Fixed a JST issue where adding an else-if conditional path from the if…else method did not properly update subsequent conditional paths, causing incorrect evaluation. Added a warning when opening corrupted transformations to notify users. |
| JSON schema date formatting on copy to project (ENG-12405) | Fixed date formatting for JSON schemas when copying assets into a project space. |
| getTriggers deleted JSON form error (ENG-14364) | Fixed an issue with the getTriggers API where schedule triggers referencing non-existent JSON forms returned errors, preventing other triggers from working. |
| Project import asset loss (ENG-14405) | Fixed an issue that caused loss of assets when importing a project. |
| AG Manager task execution crash handling (ENG-14483) | Added additional error handling to prevent crashes during AG Manager task executions. |
| Asset tab task outgoing variable loss (ENG-14897) | Fixed an issue where adding a Child Job, Show JSON Form, Run Command/Analytic Template, or Apply Template task from the Assets tab stripped outgoing variables from the task. |
| Loop-to-outside transition prevention (ENG-14970) | Prevented users from drawing transitions from inside a loop to outside a loop. |
| Operations Manager ancestor job query performance (ENG-15013) | Fixed Operations Manager Jobs page stability issues that occurred with many jobs having more than 1,000 ancestor jobs. Updated the page to minimize database queries and resolved UI issues with the jobs table. |
| Event system and web server separation (ENG-15227) | Separated the Platform Event System from the HTTP Web Server process to eliminate the impact of high event throughput on platform performance. |
| Duplicate key error message (ENG-15538) | Updated error message when duplicate keys cause issues. |
Security fixes (14)
Platform 6.1.1 includes important security updates that address vulnerabilities in third-party packages and enhance data protection measures.
| Feature | Description |
|---|---|
| semver vulnerable version update (ENG-11009) | Updated packages to resolve security vulnerabilities in the semver package. |
| d3-color security update (ENG-11632) | Fixed security vulnerability in the d3-color package. |
| Config Manager XSS in export functions (ENG-13131) | Enhanced Configuration Manager export functions with secure download functionality, including data sanitization and safer DOM manipulation to prevent XSS vulnerabilities across all export operations (device groups, backups, golden configs, templates, compliance plans, and config parsers). |
| Dev Tools repository removal (ENG-13182) | Removed Dev Tools from the repository (not customer-impacting). |
| axios 1.11.0 security update (ENG-15142) | Updated axios to version 1.11.0 to fix security vulnerability. |
| express and body-parser security update (ENG-15175) | Updated express and body-parser to resolve security vulnerabilities. |
| express and body-parser security update (ENG-15176) | Updated express and body-parser to resolve security vulnerabilities. |
| express and body-parser security update (ENG-15177) | Updated express and body-parser to resolve security vulnerabilities. |
| express and body-parser security update (ENG-15178) | Updated express and body-parser to resolve security vulnerabilities. |
| express and body-parser security update (ENG-15179) | Updated express and body-parser to resolve security vulnerabilities. |
| Cookie XSS security update (ENG-15181) | Updated express and body-parser to resolve XSS vulnerability in cookie. |
| express body-parser XSS security update (ENG-15450) | Updated express and body-parser to resolve XSS vulnerability. |
| Emotion @babel/runtime vulnerability (ENG-15510) | Updated emotion dependencies to fix vulnerability in @babel/runtime. |
| Emotion packages and axios security update (ENG-15512) | Upgraded @Emotion packages (css, react, styled) and axios from 1.8.4 to 1.12.2 to address resource allocation security issues. |
6.1.0
Platform 6.1.0 artifacts have been removed from the Itential Artifact Repository. We apologize for any inconvenience.
Platform 6.1.0 is a minor release that introduces variable masking, along with bug fixes and security updates.
For an overview of the highlights and key features in this release, see the Platform 6.1.0 feature announcement.
6.0.8
Platform 6.0.8 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (2)
| Feature | Description |
|---|---|
| PEM-encoded TLS cert support (ENG-12771) | Added support for PEM-encoded TLS certs for Redis, MongoDB, CyberArk, and Express webserver. |
| LDAP adapter custom group login restriction (ENG-13638) | Added LDAP adapter property to restrict login to custom groups. |
Bug fixes (6)
| Feature | Description |
|---|---|
| Project homepage table scrolling (ENG-5029) | Fixed table scrolling on the projects homepage. |
| Project template large output view (ENG-10276) | Fixed an issue viewing templates with large outputs in projects. |
| Project asset move corruption fix (ENG-14157) | Fixed an issue where moving assets between projects could make projects unusable. |
| SSO login NameID null handling (ENG-14293) | Fixed a bug where logging into Itential through an SSO provider that fails to provide a NameID value would result in incorrect login behavior. |
| CyberArk CCP secrets provider health status (ENG-14423) | The /health/status API now correctly identifies CyberArk CCP as the secrets provider. |
| SLA zero value jobSlaBreach event (ENG-14521) | Fixed jobs where SLA set to 0 incorrectly triggered jobSlaBreach events. |
Security fixes (29)
| Feature | Description |
|---|---|
| DOMPurify security update (ENG-11630) | Updated DOMPurify dependency to address a security vulnerability. |
| Config Manager XSS in SearchDialog export (ENG-13132) | Fixed XSS vulnerability in Configuration Manager SearchDialog by adding a secure download function, sanitizing remote data, and using setAttribute for DOM manipulation. Applied fixes to all six export functions. |
| Config Manager XSS in SearchDialog export (ENG-13133) | Fixed XSS vulnerability in Configuration Manager SearchDialog by adding a secure download function, sanitizing remote data, and using setAttribute for DOM manipulation. Applied fixes to all six export functions. |
| Config Manager XSS in export function (ENG-13141) | Fixed XSS vulnerability in Configuration Manager SearchDialog by adding a secure download function, sanitizing remote data, and using setAttribute for DOM manipulation. Applied fixes to all six export functions. |
| Config Manager XSS in export function (ENG-13143) | Fixed XSS vulnerability in Configuration Manager SearchDialog by adding a secure download function, sanitizing remote data, and using setAttribute for DOM manipulation. Applied fixes to all six export functions. |
| Config Manager XSS in export function (ENG-13144) | Fixed XSS vulnerability in Configuration Manager SearchDialog by adding a secure download function, sanitizing remote data, and using setAttribute for DOM manipulation. Applied fixes to all six export functions. |
| Config Manager exportJson XSS fix (ENG-13161) | Fixed XSS vulnerability in Configuration Manager exportJson function by adding filename sanitization and using setAttribute instead of direct property assignment. |
| Config Manager PageContainer XSS fix (ENG-13162) | Fixed XSS vulnerability in Configuration Manager PageContainer by sanitizing backup names and replacing object spread with direct prop assignment. |
| ConfirmInstances instance name XSS fix (ENG-13163) | Fixed XSS vulnerability in ConfirmInstances.jsx by sanitizing instance.name rendering to prevent script execution. |
| Config Manager ComplianceRunReports XSS fix (ENG-13164) | Fixed XSS vulnerability in Configuration Manager ComplianceRunReports by using setAttribute and adding filename sanitization. |
| Config Manager SearchGCCard XSS fix (ENG-13165) | Fixed XSS vulnerability in Configuration Manager SearchDialog/SearchGCCard by using setAttribute and adding filename sanitization. |
| Config Manager exportJson XSS fix (ENG-13166) | Fixed XSS vulnerability in Configuration Manager exportJson function by adding filename sanitization and using setAttribute instead of direct property assignment. |
| Studio notifications DOM-based XSS fix (ENG-13167) | Fixed DOM-based XSS vulnerability in Automation Studio notifications by implementing URL origin validation. |
| Lifecycle Manager ActionTable XSS fix (ENG-13168) | Fixed DOM-based XSS vulnerability in Lifecycle Manager ActionTable through explicit prop assignment. |
| Config Manager SearchDeviceTemplatesCard XSS fix (ENG-13169) | Fixed XSS vulnerability in Configuration Manager SearchDeviceTemplatesCard by using setAttribute and adding filename sanitization. |
| SearchBackupCard filename XSS fix (ENG-13170) | Fixed XSS vulnerability in SearchBackupCard by sanitizing filenames in export functionality. |
| InstanceGroupsTable XSS fix (ENG-13172) | Fixed XSS vulnerability in InstanceGroupsTable component by replacing spread operator with explicit prop assignments. |
| ComplianceReportingCard filename XSS fix (ENG-13173) | Fixed XSS vulnerability in ComplianceReportingCard by sanitizing filenames in export functionality. |
| Config Manager exportJson XSS fix (ENG-13175) | Fixed XSS vulnerability in Configuration Manager exportJson function by adding filename sanitization and using setAttribute instead of direct property assignment. |
| StaticGroups XSS fix (ENG-13178) | Fixed XSS vulnerability in StaticGroups component by removing dangerous object spread pattern and implementing sanitization utilities. |
| SearchCompliancePlanCard XSS fix (ENG-13179) | Fixed XSS vulnerability in SearchCompliancePlanCard by sanitizing filename input before DOM manipulation. |
| ChildActionTable XSS fix (ENG-13180) | Fixed XSS vulnerability in ChildActionTable component by removing spread operator that allowed unsanitized input injection. |
| setTimeout state variable naming conflict (ENG-13181) | Renamed setTimeout state variable to setTimeoutValue to avoid naming conflict with global setTimeout() function. |
| DuplicateProjectDialog open redirect fix (ENG-13188) | Fixed open redirect vulnerability in Automation Studio DuplicateProjectDialog through MongoDB ObjectId validation. |
| Centralized sanitization methods (ENG-13949) | Centralized sanitization methods to resolve multiple vulnerabilities. |
| passport-saml security update (ENG-13956) | Updated @node-saml/passport-saml dependency to address a security vulnerability. |
| swagger-ui-react security update (ENG-14460) | Updated swagger-ui-react dependency to address a security vulnerability. |
6.0.7
Platform 6.0.7 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (7)
| Feature | Description |
|---|---|
| Unused files and dependencies removal (ENG-10705) | Removed all unused files, code, and dependencies in Platform 6. |
| Workflow data UUID property (ENG-12003) | A new UUID property has been added to workflow data to enhance data management and identification. |
| Cookie escaping and hashing security fix (ENG-12675) | Updates were made in the Platform to fix cookie escaping and hashing, addressing low vulnerabilities that were previously identified. |
| Docker image Itential user ID standardization (ENG-12772) | The Itential user within Docker images has now been assigned a group/user id of 1001:1001 to standardize user management. |
| CyberArk CCP secrets provider support (ENG-12789) | Added support for CyberArk CCP as a secrets provider. |
| Network dependency addition (ENG-13401) | A new network dependency was added to enhance the functionality and fix issues related to the Platform pipeline. |
| Gateway Manager clusterId connection deduplication (ENG-13928) | Gateway Manager connection validation now ensures only one connection exists per clusterId during new connection handling. |
Bug fixes (16)
| Feature | Description |
|---|---|
| Pre-built import duplicate key race condition (ENG-7955) | When importing a pre-built, a “duplicate key error collection” error returned. Fixed a race condition in the processAutomations method that occurred if multiple workflows in the imported pre-built contain the same group. This fix ensures the pre-built will no longer error the import API. |
| Admin Essentials out-of-sync banner (ENG-8372) | The “out of sync” banner no longer persists when an application is “in sync” after a user selects an application within the Application section of Admin Essentials and refreshes the page. |
| getTimeByTimezone task with DST support (ENG-8589) | Created a new getTimeByTimezone task that presents timezones by location to accommodate for time variations caused by Daylight Savings Time. Additionally, timezone input is now optional and will default to the system’s timezone if not present, also accounting for Daylight Savings Time. |
| Child job loop stuck in running state (ENG-8815) | Fixed a bug in which child job loops remained stuck in a running state when all child jobs were cancelled. |
| Parallel revert infinite loop fix (ENG-8999) | Fixed an issue where jobs that had reverts in parallel could trigger an infinite loop that saturated the CPU. |
| convertTimezone input time default (ENG-10315) | Fixed an issue where the convertTimezone task and other time tasks would default to using the current date and time as opposed to the correct input time. |
| Transformation internal function backspace delete (ENG-10848) | A bug was fixed where the internal functions of transformation would disappear upon pressing the backspace key, improving user experience. |
| Service memory crash and restart (ENG-11043) | An issue was fixed where a service (application/adapter) crashed due to running out of memory and could not be restarted, ensuring better service reliability. |
| Task palette default variable keys for transformations (ENG-12350) | The task palette has been updated to set default keys for incoming and outgoing variables specifically for transformation assets, based on the asset’s schema. |
| Deep nested object task stuck in running state (ENG-12865) | A fix was made to address an issue where tasks that utilized deeply nested objects or large arrays of objects as inputs could become stuck in a running state, resulting in a “Maximum Call Stack” error being logged. |
| Studio workflow strict validation disable (ENG-13023) | The strict mode for Studio workflow run validation has been disabled to improve flexibility and usability during workflow execution and prevent workflow error. |
| mongo_url password masking in Admin Essentials (ENG-13035) | Resolved an issue that exposed passwords in mongo_url. The mongo_url property is now effectively masked in the Admin Essentials Configuration view to enhance security and prevent unauthorized access. |
| JST conditional step reference breakage (ENG-13291) | An issue was resolved in JST Transformations where adding conditionals to a step that had multiple assignments from the return would lead to a broken reference. Additionally, a fix was implemented to ensure that a new context would properly propagate from a step with multiple assignments. |
| Adapter property encryption on import (ENG-13377) | A bug was fixed concerning the adapter properties, which were previously unencrypted upon import when the propertySchema did not explicitly declare the property as encrypted. |
| JST anchor assigned state after invalid transition (ENG-13405) | Resolved issue where anchors incorrectly remained marked as assigned when drawing invalid transitions from context variables to parameters across different tasks. |
| Gateway creation service-group state (ENG-14383) | Fixed an issue where creating a new gateway would succeed, but result in a bad service-group state. |
Security fixes (9)
| Feature | Description |
|---|---|
| semver vulnerable version update (ENG-11009) | Packages have been updated to ensure a non-vulnerable version of semver is utilized across the Platform, enhancing overall security. |
| swagger-client and swagger-ui-react security update (ENG-11611) | Updated the swagger-client and swagger-ui-react dependency versions to resolve a security vulnerability. |
| axios security update (ENG-11626) | Updated the axios dependency version to fix a security vulnerability that was detected in previous versions. |
| prismjs security update (ENG-11629) | Updated the prismjs dependency version to resolve a security vulnerability. |
| path-to-regexp security update (ENG-11631) | Updated the path-to-regexp dependency version to address a security vulnerability. |
| cookie-parser and express-session security update (ENG-11634) | Updated the cookie-parser and express-session versions to mitigate a security vulnerability. |
| Studio Command component XSS prevention (ENG-13135) | Implemented XSS prevention measures by adding proper input sanitization and character escaping in the Automation Studio Command component. |
| Studio component XSS remediation (ENG-13136) | Applied additional XSS vulnerability remediation with enhanced input validation and character escaping in Automation Studio components. |
| form-data dependency security update (ENG-13771) | Updated the form-data dependency version to address a security vulnerability. |
6.0.6
Platform 6.0.6 is a maintenance release containing enhancements, bug fixes, and security updates.
Platform 6.0.6 artifacts have been removed from the Itential Artifact Repository. We apologize for any inconvenience.
Enhancements (6)
| Feature | Description |
|---|---|
| Unused files and dependencies removal (ENG-10705) | Removed all unused files, code, and dependencies in Platform 6. |
| Workflow data UUID property (ENG-12003) | A new UUID property has been added to workflow data to enhance data management and identification. |
| Cookie escaping and hashing security fix (ENG-12675) | Updates were made in the Platform to fix cookie escaping and hashing, addressing low vulnerabilities that were previously identified. |
| Docker image Itential user ID standardization (ENG-12772) | The Itential user within Docker images has now been assigned a group/user ID of 1001:1001 to standardize user management. |
| CyberArk CCP secrets provider support (ENG-12789) | Added support for CyberArk CCP as a secrets provider. |
| Network dependency addition (ENG-13401) | A new network dependency was added to enhance functionality and fix issues related to the Platform pipeline. |
Bug fixes (15)
| Feature | Description |
|---|---|
| When importing a pre-built, a “duplicate key error c… (ENG-7955) | When importing a pre-built, a “duplicate key error collection” error returned. Fixed a race condition in the processAutomations method that occurred if multiple workflows in the imported pre-built contain the same group. This fix ensures the pre-built will no longer error the import API. |
| Admin Essentials out-of-sync banner (ENG-8372) | The “out of sync” banner no longer persists when an application is “in sync” after a user selects an application within the Application section of Admin Essentials and refreshes the page. |
| getTimeByTimezone task with DST support (ENG-8589) | Created a new getTimeByTimezone task that presents timezones by location to accommodate for time variations caused by Daylight Saving Time. Additionally, timezone input is now optional and will default to the system’s timezone if not present, also accounting for Daylight Saving Time. |
| Child job loop stuck in running state (ENG-8815) | Fixed a bug in which child job loops remained stuck in a running state when all child jobs were cancelled. |
| Parallel revert infinite loop fix (ENG-8999) | Fixed an issue where jobs that had reverts in parallel could trigger an infinite loop that saturated the CPU. |
| convertTimezone input time default (ENG-10315) | Fixed an issue where the convertTimezone task and other time tasks would default to using the current date and time as opposed to the correct input time. |
| Transformation internal function backspace delete (ENG-10848) | A bug was fixed where the internal functions of a transformation would disappear upon pressing the backspace key. |
| Service memory crash and restart (ENG-11043) | An issue was fixed where a service (application/adapter) crashed due to running out of memory and could not be restarted, ensuring better service reliability. |
| Task palette default variable keys for transformations (ENG-12350) | The task palette has been updated to set default keys for incoming and outgoing variables specifically for transformation assets, based on the asset’s schema. |
| Deep nested object task stuck in running state (ENG-12865) | A fix was made to address an issue where tasks that utilized deeply nested objects or large arrays of objects as inputs could become stuck in a running state, resulting in a “Maximum Call Stack” error being logged. |
| Studio workflow strict validation disable (ENG-13023) | The strict mode for Studio workflow run validation has been disabled to improve flexibility and usability during workflow execution and prevent workflow errors. |
| mongo_url password masking in Admin Essentials (ENG-13035) | Resolved an issue that exposed passwords in mongo_url. The mongo_url property is now masked in the Admin Essentials Configuration view to enhance security and prevent unauthorized access. |
| JST conditional step reference breakage (ENG-13291) | An issue was resolved in JST transformations where adding conditionals to a step that had multiple assignments from the return would lead to a broken reference. Additionally, a fix was implemented to ensure that a new context propagates correctly from a step with multiple assignments. |
| Adapter property encryption on import (ENG-13377) | A bug was fixed concerning adapter properties, which were previously unencrypted upon import when the propertySchema did not explicitly declare the property as encrypted. |
| JST anchor assigned state after invalid transition (ENG-13405) | Resolved an issue where anchors incorrectly remained marked as assigned when drawing invalid transitions from context variables to parameters across different tasks. |
Security fixes (9)
| Feature | Description |
|---|---|
| semver vulnerable version update (ENG-11009) | Packages have been updated to ensure a non-vulnerable version of semver is utilized across the Platform. |
| swagger-client and swagger-ui-react security update (ENG-11611) | Updated the swagger-client and swagger-ui-react dependency versions to resolve a security vulnerability. |
| axios security update (ENG-11626) | Updated the axios dependency version to fix a security vulnerability that was detected in previous versions. |
| prismjs security update (ENG-11629) | Updated the prismjs dependency version to resolve a security vulnerability. |
| path-to-regexp security update (ENG-11631) | Updated the path-to-regexp dependency version to address a security vulnerability. |
| cookie-parser and express-session security update (ENG-11634) | Updated the cookie-parser and express-session versions to mitigate a security vulnerability. |
| Studio Command component XSS prevention (ENG-13135) | Implemented XSS prevention measures by adding proper input sanitization and character escaping in the Automation Studio Command component. |
| Studio component XSS remediation (ENG-13136) | Applied additional XSS vulnerability remediation with enhanced input validation and character escaping in Automation Studio components. |
the form-data dependency version to address a secu… (ENG-13771) | Updated the form-data dependency version to address a security vulnerability. |
6.0.5
Platform 6.0.5 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (4)
| Feature | Description |
|---|---|
| Redis initial connection timeout config (ENG-11965) | Added a configurable parameter where you can set a timeout for initial startup Redis connection. The connectTimeout and handleConnectionTimeout properties set the maximum time in milliseconds to wait for the initial Redis connection before timing out. If not set, defaults to 30000 ms (30 seconds). |
| NSO adapter global-timeout flag (ENG-12523) | The NSO adapter has been updated to incorporate a global-timeout setting, which acts as a boolean flag. When set to true, this setting allows services to bypass local timeout values and adhere to the global timeout configuration. If not activated or set to false, the system reverts to either a custom value or the default timeout of 60 seconds. |
| jobStart event workflowId and projectId (ENG-12595) | Added workflowId and projectId properties to the jobStart event in Workflow Engine. These unique identifiers help correlate workflow executions (jobs) and protect against unexpected event duplication. |
| Workflow Engine task event summary and description (ENG-12662) | Added a task summary and description to Workflow Engine events. This metadata is automatically added to task events handled via the eventSystem, allowing users to understand the purpose and details of each event. |
Bug fixes (11)
| Feature | Description |
|---|---|
| SAML SSO post-login redirect (ENG-4213) | When the Platform was configured to authenticate users via SAML SSO, a user who was logged out from a page in the Platform would not be redirected to their original location after logging back in. Support was added for persistent redirect links across SAML SSO login flows to ensure users are restored to their original location. |
| childJob loop status in output (ENG-7728) | Fixed an issue where the status for each job was not reflected in the output objects from the childJob task when either parallel or sequential looping was enabled. |
| Workflow canvas duplicate task definitions (ENG-7900) | In certain circumstances, the workflow builder canvas would display duplicate task definitions in the task palette. This change eliminates possible race conditions and ensures no duplicates are added. |
| Azure/EntraID SSO disableAuthnContext toggle (ENG-8062) | When configuring Azure/EntraID as an identity provider (IdP) in the Platform, the SSO test connection failed due to a required Password, ProtectedTransport authentication method. Added a “Disable Expected Auth” toggle to the SSO configuration page that gives administrators the option to control the disableAuthnContext configuration property. |
| JST incoming/outgoing schema issues (ENG-10352) | A series of fixes have been implemented to address multiple issues that occurred when using an incoming or outgoing JST schema. These issues have been resolved to ensure proper functionality at runtime. |
| JST deleted step reference persistence (ENG-10751) | Resolved a JST bug that allowed references to deleted steps to persist within the context of other steps, ensuring that the integrity of the workflow remains intact. |
| Platform early shutdown Redis connection check (ENG-12023) | Added checks for iap_id and Redis connection to ensure smooth shutdowns when exiting the Platform early in the startup process and when exiting after Redis shuts down. |
| Pre-built GBAC import sidebar visibility (ENG-12445) | When importing a pre-built automation with GBAC assigned, the imported automation did not appear in the Operations Manager side navigation bar. Fixed pre-built automation import to ensure all GBAC id values are strings and the automation is displayed in the side navigation bar. |
| Command template percentage selector (ENG-12529) | The command template builder UI previously lacked the maximum accepted percentage (%) selector when performing a comparison evaluation by percentage. This issue has been rectified by re-adding the selector to the UI. |
| maxIdleTimeMS connection timeout property (ENG-12586) | A new configurable timeout property, maxIdleTimeMS, has been introduced to effectively drop unused connections, with a default setting of five minutes. This enhancement is designed to reduce the total number of connections during periods of lighter usage. |
| Admin Essentials group member save button (ENG-12616) | When adding users to a group via the UI, the save button was greyed out (disabled). The edit group dialog now enables the save button when modifying group members through the Admin Essentials UI. |
6.0.4
Platform 6.0.4 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (5)
This section highlights quality improvements to Itential Platform’s functionality in this maintenance release.
| Feature | Description |
|---|---|
| Configurable serverId strategies (ENG-11313) | Support has been added for configurable serverId strategies, including a new strategy for generating a random UUID as the serverId. This improvement allows for greater flexibility in server identification. |
| auth-metadata endpoint for AAA providers (ENG-11314) | Introduced a new /.well-known/auth-metadata endpoint to support AAA providers in retrieving relevant metadata while users are unauthenticated. This update, along with enhancements to the Azure AAA adapter, allows the Platform to dynamically set the client and tenant IDs on the SSO login page, significantly improving the user experience. |
| Workflow Engine task events (ENG-11418) | Task events have been added to the Workflow Engine, which significantly improves the auditing capabilities of job processing, allowing for better tracking and management of tasks. |
| Gateway Manager runService task variables (ENG-11516) | Implemented custom job and task variable support in the Gateway Manager runService task. This task enhances the functionality of Gateway Manager, allowing users to select the service type and gateway cluster, and use variable options for cluster and service inputs. |
| Gateway Manager sidebar relocation (ENG-11700) | The Gateway Manager option has been relocated to the Administration section of the Itential Platform sidebar. This UI change is accompanied by a new icon for better visibility and user experience. |
Bug fixes (16)
This maintenance release of Itential Platform includes fixes for bugs that were reported to Itential Product Support.
| Feature | Description |
|---|---|
| the custom role dialog in Admin Essentials did not d… (ENG-1609) | Fixed an issue where the custom role dialog in Admin Essentials did not display roles for methods categorized as tasks, which are not HTTP endpoints. The endpoint behind the configuration dialog has been corrected to return task methods, enabling comprehensive configuration of custom roles. |
| Redis initialization logging (ENG-9045) | Enhancements have been made to logging and error checking processes during Redis initialization, improving overall reliability and troubleshooting capabilities. |
| Project import createdBy field failure (ENG-10364) | A problem was identified where projects containing workflows with a createdBy field would fail to import. This issue has been rectified by removing the createdBy field during the import process. |
| rodeo-ui myTtl API repeated calls (ENG-10673) | Updated the rodeo-ui version to resolve a bug issue where the /myTtl API endpoint was being unnecessarily triggered multiple times when the Logout Warning Dialog was displayed. |
| GitHub project over 2 MB pull error (ENG-10721) | An issue was resolved where Projects larger than 2MB would encounter errors when pulled from a Github repository. This issue has been corrected to ensure smoother Project management. |
| Schedule trigger nextRunAt calculation (ENG-10753) | Resolved calculation errors in nextRunAt for schedule triggers that occurred under specific creation circumstances, ensuring that nextRunAt is now calculated accurately. |
| Symlink support for custom apps (ENG-10757) | Restored support for using symlink with custom apps and adapters. |
| PHSpinner default value handling (ENG-10758) | Corrected the method by which the PHSpinner component was setting its current and default values in the UI. |
| Job start workflow validation regression (ENG-10784) | A critical issue was fixed where starting a job would fail to validate the workflow correctly. Instead, it relied on outdated error data from the workflow document to determine if the job could start. This issue has been corrected to ensure proper validation. |
| New service startup without restart (ENG-11370) | When the profile document serves as the source for the services configuration property, a new service can now be added to the Platform, which will spin up the service during the first startup rather than only upon restart. This regression from version 2023.2 has been resolved for Platform 6. |
| forEach revert transition loop termination (ENG-11399) | A fix has been applied to address an issue where revert transitions initiated from within a forEach loop could unexpectedly terminate the loop prematurely, causing disruptions in the intended logic. |
| Operations Manager project name loss on import (ENG-11602) | An issue was resolved where Operations Manager Automations lost the referenced Project name from the imported Project. This issue has been corrected to ensure proper functionality. |
| LDAP authentication custom group login (ENG-11641) | A bug was fixed that prevented users from successfully logging in when utilizing the LDAP authentication method with custom groups. |
| Transformation import function deselection (ENG-11692) | Upon import, valid functions were deselected from the transformation when opened and saved, and the transformation did not work as expected when running it in JST Designer. Updated the checkType parameter in the function check logic. Imported transformations now retain their selected functions on import, and are no longer empty. |
| A critical fix was implemented to the Node version h… (ENG-11872) | A critical fix was implemented to the Node version health check, which now ensures that the post-merge pipeline can successfully pass without any hindrance. |
| Health status endpoint readiness probe timeout (ENG-11901) | The /health/status endpoint, used to ping downstream services when performing a health check, caused timeouts when used with a readiness probe. Added a new optional query parameter exclude-services so that the endpoint only returns health information related to the Platform itself, and not the health of its connections to downstream systems. |
Security fixes (1)
This section highlights fixes and measures to prevent and minimize security risks and vulnerabilities.
| Feature | Description |
|---|---|
| undici insecure randomness in Admin Essentials (ENG-10283) | During security scans, it was discovered that certain versions of the undici package in Admin Essentials were vulnerable to Insecure Randomness risks. To address this vulnerability, the package dependency has been upgraded to version 6.21.1. |
6.0.3
Platform 6.0.3 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (4)
| Feature | Description |
|---|---|
| Cross-workflow task copy and paste (ENG-9862) | Users can now copy and paste workflow tasks between different workflows, including those in projects. This enhancement extends the existing copy/paste functionality beyond a single workflow canvas, enabling users to reuse task configurations across multiple workflows and improving overall workflow development efficiency. |
| workflow_builder API endpoint examples (ENG-9923) | Enhancements have been made to the examples used in the documentation for the /workflow_builder/ API endpoint. These improvements provide clearer guidance and facilitate a better understanding for users, ultimately leading to a more effective use of the API. |
| Trigger form data persistence (ENG-10754) | The system now ensures that valid form data within triggers remains persistent even after updates are made to the corresponding JSON form. This enhancement bolsters data integrity and significantly improves user workflow efficiency. |
| Duplicate project unique name prompt (ENG-10787) | A new dialog feature has been introduced that prompts users to enter a unique name when duplicating a project, thereby improving the user experience and ensuring clarity when naming projects. |
Bug fixes (9)
| Feature | Description |
|---|---|
| Project import duplicate asset reference fix (ENG-7974) | An issue was discovered that allowed users to import a Project successfully, but all asset-references were broken if another user attempted to import the same project into the same Itential Platform environment. The duplicate project checks have been updated to accurately identify duplicate projects that are not accessible by the current user, thereby improving the user experience. |
| Create group API role assignment (ENG-9372) | A bug was fixed where groups and roles that were added to a custom group using the create group API were not accurately reflected for users in the new group. This fix ensures that the user permissions and roles are correctly assigned and displayed. |
| Adapter DEGRADED status auto-recovery (ENG-9757) | An issue was resolved where adapters that were in a DEGRADED status did not automatically revert to Online status upon restoration of connection. A code fix has been implemented to facilitate automatic recovery from the degraded state, ensuring a seamless transition back to normal operational status. |
| Profile migration script default values (ENG-10245) | A defect was fixed in the migration scripts for Itential Platform Profiles. Previously, default values were being added, which did not align with the updated requirements for new Profiles that no longer necessitate any values. This fix ensures the migration process aligns with the updated requirements. |
| Operations Manager child job 404 error (ENG-10692) | A bug was identified where attempting to access a child job via the Operations Manager UI using the right-click menu for the task resulted in a 404 error. This issue has been resolved, and now clicking the “Open” button will successfully navigate to the intended child job without any errors. |
| Task worker shutdown scheduled task impact (ENG-10795) | An issue was resolved where stopping the Task Worker negatively impacted the ability to manage scheduled tasks on an instance. This issue persisted until the instance was restarted. The fix ensures that the scheduled tasks can be handled without requiring a restart after stopping the Task Worker. |
| Redis credentials logged on shutdown (ENG-10897) | In rare instances during the shutdown process, the Platform had the potential to log Redis credentials inadvertently. A fix has been successfully implemented to prevent this from occurring, thereby enhancing security and protecting sensitive information. |
| UpdateForm API invalid ID crash (ENG-11035) | An issue was discovered that allowed users to inadvertently input an invalid ID into the UpdateForm API, which caused app-json_forms to unexpectedly stop working. This problem has been resolved through the implementation of input validation measures, ensuring that such invalid entries are no longer possible. |
| Workflow task add performance with many adapters (ENG-11131) | In scenarios where numerous adapters have been installed, users may experience a freezing issue when attempting to add tasks to a workflow. To address this concern, significant enhancements have been implemented in the workflow rendering process, which has resulted in significant performance improvement when a task is added to the workflow. |
Security fixes (1)
| Feature | Description |
|---|---|
| body-parser amplification in Pronghorn Core (ENG-10623) | When running security scans, it showed affected versions of the body-parser library in Pronghorn Core were vulnerable to Asymmetric Resource Consumption (Amplification) risks. Upgraded the package dependency to 1.20.3 to resolve this vulnerability. |
6.0.2
Platform 6.0.2 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (8)
| Feature | Description |
|---|---|
| Trigger form data persistence (ENG-6823) | Valid form data in triggers now persists during updates to the corresponding JSON form. |
| automation-studio API endpoint examples (ENG-9270) | Enhanced task examples in the documentation for the /automation-studio/ API endpoint. |
| Admin Essentials serviceDirectory property (ENG-9774) | Introduced support for the serviceDirectory property in Admin Essentials Profiles UI. |
| discoverReferences MongoDB optimization (ENG-10528) | Optimized the /automation-studio/discoverReferences API endpoint to minimize MongoDB calls and ensure a consistent parents array, addressing performance issues with large responses. |
| Child job static loop uncheck regression (ENG-10668) | Resolved an issue in child job tasks where setting the loop type to static would inadvertently uncheck the enable looping switch. |
| Transition mode banner ESC shortcut (ENG-10785) | The transition mode banner has been updated for consistency within the Rodeo UI banner component and now supports the ESC shortcut for closing the banner. |
| Add/edit schema dialog redesign (ENG-10786) | Updated the add and edit schema dialog design to improve user experience. |
| Delete asset dialog clarity (ENG-10788) | The delete asset dialog in projects has been updated for clarity regarding which asset is about to be deleted. |
Bug fixes (8)
| Feature | Description |
|---|---|
| Create group API role assignment (ENG-9372) | Fixed an issue where groups and roles added to a custom group with the create group API were not properly reflected on a user in the new group. |
| HA cluster custom role consistency (ENG-9520) | Itential servers in an HA (high availability) cluster occasionally showed different sets of custom roles. Updated itential/service and itential/logger to enable service and startup errors to reach log files. All startup and shutdown notification logs are now logged with the system. |
| Transformation nested function args render (ENG-9813) | When viewing a transformation containing a nested function step with an empty args array, opening the function causes rendering and runtime issues. Added additional checks to address rendering and runtime issues when viewing a transformation with a nested function step in this state. |
| Project import createdBy field failure (ENG-10364) | When exporting a project with workflows from a dev environment and then importing it to a staging environment, the workflows were missing post-import. Fixed an issue where projects containing workflows with a createdBy field would fail to import by removing this field during the import process. |
| Default logout timeout increase (ENG-10376) | Updated the default logout time from 20 minutes to 60 minutes. |
| Integration task stuck in running state (ENG-10679) | Integration tasks added to workflows would remain in a running state indefinitely. To resolve this issue, modified the lifecycle logic for adding integration configs to the global.config when the Platform starts up. |
| Task worker shutdown scheduled task impact (ENG-10795) | The run window on a task would stop working when job execution was disabled and then immediately re-enabled from Admin Essentials. Fixed an issue where the action of stopping the task worker affected the ability to handle scheduled tasks on an instance until the instance was restarted. |
| JSON Form dropdown removed option persistence (ENG-10847) | Options removed from a JSON form dropdown were still maintained as values in the form in Operations Manager. When a JSON form dropdown option is removed, the corresponding form data is now cleared for any triggers that had the option selected. |
Security fixes (2)
| Feature | Description |
|---|---|
| passport-saml cryptographic signature (ENG-10284) | When running security scans, it showed improper verification of the cryptographic signature. Upgraded the @node-saml/passport-saml package to version 5.0.1 to resolve the security vulnerability. |
| body-parser amplification vulnerability (ENG-10287) | When running security scans, affected versions of the body-parser package were found to be vulnerable to asymmetric resource consumption (amplification). Updated the package to version 1.20.3 to fix the security vulnerability. |
6.0.1
Platform 6.0.1 is a maintenance release containing enhancements, bug fixes, and security updates.
Enhancements (3)
| Feature | Description |
|---|---|
| Child job loop type options (ENG-2829) | Added static, job, and task options to the loop type property in a child job task. You now have the ability to select a loop type, or optionally have the loop type passed in as a variable. |
| Independent release and build versioning (ENG-9854) | Updated the Platform to implement support for independent release and build versioning. |
| Studio sidebar navigation rename (ENG-10163) | Changed “Automation Studio” to “Studio” in the sidebar and menu navigation systems in the Platform. |
Bug fixes (21)
| Feature | Description |
|---|---|
| JSON Form dynamic dropdown pagination (ENG-6790) | When using JSON Forms with dynamic dropdown, the search function within paginated results did not return query results as expected. Fixed issues with multi-select dropdowns that use a large dataset. |
| OpenAPI 3.1 swagger-client support (ENG-7205) | OpenAPI integration models could be imported, but when creating an instance or starting the server with a created instance, an error occurred within Admin Essentials. Updated swagger-client to ensure support of OpenAPI 3.1 integrations. |
| getDevicesFiltered ostypes fix (ENG-7848) | Retrieving devices with the getDevicesFiltered API call did not return results as expected via Config Manager and Gateway tasks. Fixed ostypes filtering to correctly retrieve and return devices. |
| JST Designer switch case deletion (ENG-7883) | When deleting a switch case in the JST Designer canvas, the switch method card and transitions were not updated properly. Deleting a switch case now works as expected. |
| Project view-only asset move restriction (ENG-7925) | Previously, users with view access only to a project were able to remove assets by moving them to a project where they had editor access. Fixed to prevent users with view access from moving these assets. |
| JST Designer function rename collision (ENG-8045) | When adding a function in JST Designer, the name may unexpectedly add a “(1)”. Updated logic to check for id and name collisions to fix a case where adding a function to a JST would unnecessarily rename the function. |
| Admin Essentials no-profile error message (ENG-8354) | When Itential Platform is running with no active profile, an error message displays when attempting to create, update, or delete a repository configuration in Admin Essentials. Updated the error message to include more detail about the cause. |
| Project references tree view (ENG-8368) | Resolved an issue when trying to find assets related to a project. Implemented a tree view in the References Panel that allows users to search for references ad hoc. |
| JSON Form table custom key element removal (ENG-9018) | In a JSON Form with a table that has a custom key, adding a form element to the table and then changing the custom key no longer removes the added element. |
| Command/analytic template clone crash (ENG-9031) | API errors as a result of cloning a command template and analytic template no longer crash the UI. Also updated the JSON schema for command templates and analytic templates to allow for the createdBy and lastUpdatedBy fields to be null. |
| Integration task request queue removal (ENG-9222) | Removed request queue for integration tasks to prevent CPU increase when worker threads are unavailable. Added logs to improve debugging for integration tasks. |
| JST Designer schema collapse assignments (ENG-9268) | When collapsing a schema in JST Designer, any nested assignments disappear, which allows users to create invalid duplicate assignments. Fixed the schema collapse issue to ensure assignments persist and prevent invalid assignments. |
| Project duplicate/import workflow visibility (ENG-9305) | When attempting to duplicate or import a project in Studio, workflows were disappearing from the duplicated or imported project. Updated the schema logic to resolve the issue. Workflows, templates, transformations, and JSON forms now appear correctly when duplicating or importing a project. |
| Redis Sentinel topology reconnect (ENG-9419) | In some scenarios, the Platform would not correctly handle changes in Redis Sentinel cluster topology. Added behavior to correctly reconnect when Redis Sentinel cluster topology changes. |
| Cancel jobs ancestor batch check (ENG-9478) | Added ancestor-checking in the cancel jobs endpoint to only cancel the greatest ancestor within a batch, removing unnecessary compute without affecting cancellation results. This also mitigates the likelihood of runaway recursive looping into high memory usage. |
| Integration Swagger doc skipNormalization (ENG-9668) | Removed skipNormalization flag on resolve of integration Swagger docs to ensure Itential Platform methods include path-level and operation-level parameters, while ensuring any method operationId with special characters are not replaced. |
| Operations Manager trigger type clear crash (ENG-9754) | When trying to clear a trigger type in Operations Manager to select a different trigger type, the application UI would stop working. Fixed a bug in the createTrigger API that caused Ops Manager to crash when clearing out initial trigger data. |
| Duplicate template name in projects error (ENG-9878) | Renaming a command or analytic template in projects to a duplicate name correctly displays the error in projects and no longer crashes the MOP service. |
| JSON Form dropdown source item type check (ENG-10179) | Added a type check to the JSON form dropdown to confirm source items are valid and prevent search issues in the render JSON schema task. |
| React missing array key warning (ENG-10185) | Added a missing property key to resolve a “React Missing Array Key” security rule warning. |
Security fixes (3)
| Feature | Description |
|---|---|
| jsonpath-plus RCE vulnerability (ENG-9788) | When running security scans, affected versions of the jsonpath-plus package were found to be vulnerable to remote code execution (RCE) due to improper input sanitization. Updated jsonpath-plus to version 10.3.0 to resolve the security vulnerability. |
| axios CSRF vulnerability in NSO Manager (ENG-10010) | When running security scans, affected versions of the axios package in NSO Manager were found to be vulnerable to cross-site request forgery (CSRF) risks. Updated the axios dependency to mitigate the CSRF vulnerability. |
| axios CSRF vulnerability in Job Manager (ENG-10011) | When running security scans, affected versions of the axios package in Job Manager were found to be vulnerable to cross-site request forgery (CSRF) risks. Updated the axios dependency to version 0.29.0 to remove the CSRF vulnerability. |