KNIME Business Hub 1.10 Release Notes

KNIME Business Hub 1.10.4

(released March 28, 2025)

Security fix

This release resolves a security vulnerability in all prior versions of KNIME Business Hub.

On March 24, 2025, a high-severity vulnerability in the widely used ingress-nginx component for Kubernetes was publicly disclosed. By sending specially crafted HTTP requests from within the cluster to the ingress-nginx controller, attackers could achieve remote code execution. Since ingress-nginx holds access to all cluster credentials, this vulnerability could lead to a full cluster takeover.

For full details, refer to the KNIME Security Advisory: CVE-2025-2787.

KNIME Business Hub 1.10.3

(released March 20, 2025)

Security fix

This release addresses a security vulnerability affecting all previous versions of KNIME Business Hub. We’ve identified that the existing Kubernetes secret configuration could potentially allow parties with specific credential knowledge to interact with job-related data on accessible KNIME Business Hub installations.

For more details, see the KNIME Security Advisory: CVE-2025-2402.

KNIME Business Hub 1.10.2

(released July 9, 2024)

Important note: Updates from Business Hub 1.10.x versions are highly recommended, as critical issues were fixed in this release.

Important bug fixes

• Fixed an issue with memory allocation to Artemis (managing job queues for execution) that could cause failure of Business Hub.
• Fixed an issue where jobs instrumentation (historical job collection) could fail because of late messages and cause failure of Business Hub.

KNIME Business Hub 1.10.1

(released June 4, 2024)

Improvements

Data App: Manage All Existing Jobs

• Data App to list all existing jobs with the possibility to delete them as well. Can be used to monitor the current execution situation on the Hub.
• Data App
• Documentation

Data App: Assign Users to Teams based on External Groups

• Convenience Data App to link Groups (e.g. managed by SCIM) to Teams.
• Data App: https://hub.knime.com/-/spaces/-/~aRbyzgd02IbkB60j/most-recent/

Users sync from identity provider to Hub teams via SCIM is an Enterprise edition only feature.

Data App: Executor Image Builder

• As the successor of the Execution Context Dockerfile Builder, the Executor Image Builder Data Application is designed to further ease the creation of Executor Images by employing the Image Builder Service that comes with KNIME Business Hub 1.10. This eliminates the need for manual docker image building on local machines, and instead allows easy installation of extensions or additional software like python to an Executor Image. The Executor Image is automatically pushed to a given registry (embedded, or configured in the Admin Portal) so that it is available for global admins and team admins so that they can create execution contexts from the image. Detailed documentation can be found in the Docker executor images section of the KNIME Business Hub Admin Guide.

Other

• Airgapped bundles now come with KNIME Analytics Platform 5.2.5 as executor.

Bug fixes

• Fixed a bug where the job viewer feature doesn’t work on certain domains
• Added license support for GCP marketplace images
• Fixed a bug when sharing a secret with a team
• Fixed a bug in Kerberos impersonation when connecting to an on-premise cluster

KNIME Business Hub 1.10.0

(released May 22, 2024)

Important changes (please read carefully)

• The KOTS App Manager is now on version 1.108.9. This new version fixes an important CVE and provides new functionalities, so it has to be updated before updating to KNIME Business Hub version 1.10.

  • To do so use the following command: curl -sSL [https://kurl.sh/knime-hub](https://kurl.sh/knime-hub) | sudo bash.

• The Kurl update will result in a downtime of approximately 60 min. Please plan your update window accordingly.

• Email addresses are now allowed as usernames. In case you had a Keycloak mapper configured that strips the domain portion of the username, this mapper can now be removed.

  • Caution: For the time being, do not remove the mapper if you are using Kerberos authentication in KNIME Analytics Platform. A fix for this will be provided in the next feature or bugfix release.

• We changed the way groups in teams are managed. This change is only important for customers who added "guest members" to their teams to grant them access to individual spaces. If you are not doing this, please just skip the bullet point below.

  • Previously, it was possible for a user to be in a team without belonging to any of the team’s groups ("admin" and "member" by default). Now, a user is considered a part of a team as long as they are in any of the team’s groups. Therefore, having guest members by simply adding a user to a team, and then removing them from all groups is not possible anymore. To still achieve the same result, you need to add a new custom group to your team, to which the guest users are then added. Please reach out to support@knime.com to get assistance with this.

• In case you are updating from Business Hub 1.8.x, Keycloak will be updated as well, resulting in a changed password to access the Keycloak admin portal. Please find the new password in a Kubernetes secret called credential-knime-keycloak in the knime namespace. If you have created additional Keycloak admins, they will be deleted as part of the update.

• For customers using the external group sharing feature, the user-attribute mapper for external groups needs to be switched to userinfo-only. Please refer to the updated documentation.

• Airgapped bundles now come with KNIME Analytics Platform 5.2.3 as executor.

Improvements

• Group-to-team sync via SCIM (Enterprise edition only): Automatically sync groups from your identity provider to Business Hub teams. Changes on the identity provider side will reflect in Business Hub, making it easier for IT to onboard many users. (See documentation)

  • Note: In case you are using Kerberos authentication in KNIME Analytics Platform and if you are using a Keycloak mapper that strips the domain part from user names, do not set up SCIM yet. A fix for this will be provided in the next release.

• Job instrumentation: This feature keeps a record of every single job that is executed on Business Hub, allowing users to analyze Hub usage over time. By default, records are kept for 30 days. This value can be adjusted in the KOTS admin console. (See documentation)

  • A data app to access this data is published here. Please upload this to your own Business Hub installation.

• Job viewer: Users are able to inspect a job at its current state in a browser based read only mode, without the need to open their local KNIME Analytics Platform. This is possible for jobs that were created by an “Ad hoc execution” as well as from a “Deployment”. Usage of this features requires a KNIME Analytics Platform 5.2.3 or newer to be used as hub executor. (See documentation)

  • Note: In order to use the job viewer feature, load balancers / proxies in front of Business Hub need to be websocket compatible. Additionally, make sure that the DNS entry of the Websocket URL (ws.<base-url>) is set up correctly. You can find the Websocket URL in the KOTS Admin Console under URLs > Websocket URL.

• Scalable data app sharing: Share data apps at scale via a special link and run them without the need to log in for end users. (See documentation)

• Secret store adds a new secret type for secure sharing of files e.g. ssh key files. (See documentation)

Security Updates

• Minimal RBAC Kots install supported (See documentation)
• Advanced installation now supports setting up Kots with limited RBAC permissions
• PostgreSQL no longer requires privilege escalation to be enabled
• fsGroups and supplementalGroups are now set for every container (exceptions are PostgreSQL, Istio and Ingress-Nginx)
• Namespace-metadata-reader Cluster Role converted into a Role

Kurl update

• Kurl stack updated
• Contains various CVE fixes
• Embedded clusters updated to Kubernetes version 1.27.12

Support bundle updates

• Support bundles now indicate missing required resources in the Hub cluster

Important bug fixes

• Fix showing a correct “License expired” message in the UI

• Fixed a bug where application password creation for consumers was broken

• Infrastructure fixes:

  • Excluding Istio from the install (for provided Istio / OpenShift Service Mesh) no longer requires a developer license
  • Fixed a bug where some init containers weren’t compatible with Istio CNI
  • Fixed a copy permission error in the Keycloak init container that caused issues with updates to Business Hub version 1.9.0

• Backup / Restore fixes:

  • Postgres admin password wasn’t restored in some cases
  • Timeouts increased for large data volume backups / restores

• Fixed a bug where Keycloak wasn’t compatible with custom certificate authorities

• Fixed a bug where the ImagePullSecret was not set for Keycloak in some airgapped, embedded cluster installations

• Keycloak migration improved when updating from Business Hub 1.8.3 or lower versions

• Various fixes for OpenShift installs

• Compatibility with OpenShift Service Mesh improved