Released: Feb 4, 2026

Updates in RayVentory Scan Engine 12.6.3800.131 [Update 9]

Funktionen

• Updated the curl utility bundled with RayVentory Inventory Agent (RVIA) for Windows to address security vulnerabilities discovered in the previous version. The curl utility included with RVIA for Windows has been upgraded from version 8.6.0 to version 8.17.0.

Fehlerkorrekturen

• Fixed a security vulnerability in the RayVentory Inventory Agent (RVIA) related to uncontrolled search paths that could allow PATH injection and library injection attacks. The security vulnerabilities have been resolved by implementing the following measures:
  • Removed External Dependencies: Removed curl from the RVIA packaging to eliminate potential attack vectors through external binaries.
  • Hardened Path Configuration: Configured ndtrack to use explicit installation directory paths (InstallDir and ETCPInstallDir) defined in ndtrack.ini, preventing the agent from searching for executables in uncontrolled system paths.
  • Restricted File Permissions: Adjusted permissions for the /opt/rvia/bin directory to allow access only to the root user, preventing unauthorized modifications.
• Fixed a command injection security vulnerability in the RayVentory Inventory Agent (RVIA) where text tokens were not properly escaped when executing external commands, allowing potential malicious code execution. The command injection vulnerability has been resolved through a comprehensive security redesign:
  • Secure Process Execution: Replaced all unsafe system() and popen() calls with a new "RunCommand" method that executes commands as child processes rather than spawning a shell. This fundamental change eliminates the command injection attack vector across all platforms.
  • Direct Process Spawning: Implemented fork() and execve() mechanisms to directly spawn child processes for external programs, bypassing shell interpretation entirely. This makes command injection attacks technically impossible.
  • Java Execution Hardening: Improved the Java search and execution logic to prevent using potentially compromised Java executables from the system PATH.
• Fixed a security vulnerability in the RayVentory Inventory Agent (RVIA) that could allow execution of malicious Java binaries placed in user-accessible system directories. Enhanced the Java detection mechanism in RVIA to prevent searching for Java executables in directories where users have write access. The agent now explicitly excludes the following system paths when searching for Java installations:
  • /tmp and its subdirectories.
  • /home and its subdirectories.
  • /var and its subdirectories.
  • /dev, /etc, /mnt, and /proc directories.
• Fixed an issue where Oratrack failed to connect to Oracle databases when passwords contained special characters. This issue occurred due to incompatibilities between certain Java runtime environments and Oracle's JDBC security features. Oratrack has been updated to work with the latest OpenJDK versions (including OpenJDK 24.0.2). The application now properly handles password encryption and authentication with Oracle databases, regardless of special characters in the password.
• Fixed an issue where the RVIA inventory process would hang indefinitely on macOS systems during Docker container scanning, requiring manual intervention (CTRL+C) to complete the inventory. The inventory agent now includes timeout protection for Docker-related operations. When Docker is installed on the system but in an unusable state (such as when waiting for user interaction with a system dialog), the inventory process will no longer hang indefinitely. The agent will automatically time out and continue with the rest of the inventory collection.
• Fixed an issue where processor inventory data was incomplete for Raspberry Pi 4 systems. The scan engine now properly detects and reports the processor model name and description for ARM-based devices. The inventory agent now collects complete processor information for Raspberry Pi and other ARM-based systems. When the standard processor information source (/proc/cpuinfo) does not provide complete model details, the agent automatically enriches the data using additional system information from lscpu. This ensures that processor model names (such as "Cortex-A72") and descriptions are properly captured and displayed in inventory reports.