April 4, 2023 - Alert: Incorrect Query Results
InterSystems has corrected a defect that can cause an SQL query to return incorrect results.
The defect exists in the following products and any InterSystems offerings based on them.
Impacted versions are 2021.2, 2022.1.x, 2022.2, and 2022.3:
- InterSystems IRIS®
- InterSystems IRIS for Health™
- HealthShare® Health Connect
Impacted version is 2022.2:
- InterSystems HealthShare®
The issue can be triggered when SQL Runtime Plan Choice (RTPC) is enabled (the default) and the query contains a "truth value" WHERE ? = ?. When triggered, some predicates may not be evaluated correctly; this leads to incorrect query results.
Note: It is not possible to fully assess a query's vulnerability by reviewing the SQL. This is because InterSystems SQL query optimization can add truth values to the internal representation of queries.
If your environment uses InterSystems SQL, then you can immediately remediate the issue by disabling the RTPC feature.
Note: Additional information about mitigations for InterSystems HealthShare® will be released shortly.
The correction for this defect is identified as YCL227 and will be included in all future versions of InterSystems IRIS®, InterSystems IRIS for Health™, and HealthShare® Health Connect as well as any InterSystems products based on them.
The correction is also available via Ad hoc distribution.
If you have any questions regarding this alert, please contact the
Worldwide Response Center.