3DEXPERIENCE Security Notification: User Person Assumes Identity of Another User Person - Adaptive Corp

3DEXPERIENCE Security Notification: User Person Assumes Identity of Another User Person


3DEXPERIENCE Security Notification: User Person Assumes Identity of Another User Person

Security Notice for Revisions Prior to 3DEXPERIENCE R2020x FP2014

Dassault Systèmes has identified a security issue in revisions prior to 3DEXPERIENCE R2020x FP2014 in which a logged in user suddenly takes on another user’s identity. This presents a potential security risk to the data. 

The scenario involves performing a search that can create a condition within the Java Virtual Machine (JVM) that may result in session sharing.  The search may place a request object back into a pool of request objects that another session could pick up. When this occurs one person assumes the identity of another person and this condition presents a security risk to system data

This problem can potentially impact any customer but has only been observed within Dassault’s larger customer community. The situation described above impacts customers using the following 3DEXPERIENCE Platform releases:

  • 3DEXPERIENCE 2020x -FP2006
  • 3DEXPERIENCE 2019x GA-FP2135
  • 3DEXPERIENCE 2018x GA-FP2132

Required Action

Dassault strongly recommends that affected customers upgrade to the following FP levels if possible:

  • 3DEXPERIENCE 2020x FP2014 or higher
  • 3DEXPERIENCE 2019x FP2143 or higher FP Level
  • 3DEXPERIENCE 18x FP2140 or higher FP Level

Workaround

To work around the problem, Dassault suggests adding a cvServlet.properties file to the 3DSpace environment and set environmental variables specific to the 3DEXPERIENCE Platform. Follow these steps:

  1. Create a file named cvServlet.properties within the ../webapps/3dspace/WEB-INF/classes/ folder, assuming that /3dspace is the root URI for your installation. If the file already exists, then skip this step and proceed to step 2.
  2. Add the following lines within this file:
    1. kernel_timeout_second = 60
    2. nb_kernel_thread = 100
  3. Restart the 3DSpace service.

More Details

Details regarding this issue can be found in the knowledge base by following this link QA00000100769 (https://kb.dsxclient.3ds.com/mashup-ui/page/document?q=docid:QA00000100769).

For more information, please contact Adaptive Support.