Version 5.6 (July 2022)
- 27 Sep 2024
- 2 Minutes to read
- DarkLight
- PDF
Version 5.6 (July 2022)
- Updated on 27 Sep 2024
- 2 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
DIGIPASS Gateway 5.6 (July 2022)
New features and enhancements
Upgrade path
DIGIPASS Gateway supports direct upgrades from version 5.1 or 5.5 to version 5.7 on the supported operating systems.
Supported platforms, data management systems, and other third-party products
DIGIPASS Gateway now supports the following products:
Operating systems
Red Hat Enterprise Linux (RHEL) 8, 64-bit
Ubuntu Server 20.04 LTS, 64-bit
Software libraries
DIGIPASS Gateway now includes the following (updated) third-party libraries:
Apache Log4j Core 2.17.1
This version of Apache Log4j fixes a couple of security vulnerabilities that were recently discovered (see Issues OAS‑12169, OAS‑11872: Vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, and CVE-2021-44228 in Apache Log4j2).
Fixes and other updates
Issues OAS‑12169, OAS‑11872: Vulnerabilities CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, and CVE-2021-44228 in Apache Log4j2
Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The fix provided in 2.17.0 includes another security vulnerability (CVE-2021-44832) that allows remote code execution (RCE) attacks where attackers can construct malicious configurations with a JDBC Appender. This vulnerability is difficult to exploit and considered non-criticial for DIGIPASS Gateway.
For more information, refer to:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
Affects: DIGIPASS Gateway 5.0–5.5
Description: These issues have been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.1. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.
A hotfix (including Apache Log4j 2.17.0) for the affected versions of DIGIPASS Gateway to fix the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 vulnerabilities was released on December 21, 2021. For more information, refer to https://www.onespan.com/remote-code-execution-vulnerability-in-log4j2-cve-2021-44228.
Issue OAS‑11847 (Support case CS0082448): Insufficient failover behavior
Description: If DIGIPASS Gateway cannot connect to the primary OneSpan Authentication Server instance, it uses the backup server if configured. However, when DIGIPASS Gateway establishes another connection, it again attempts to connect to the primary server first. The connection attempt uses a default timeout of 50 seconds. If the primary server is offline for some time, requests to DIGIPASS Gateway are permanently delayed.
Affects: DIGIPASS Gateway 5.0–5.5
Status: This issue has been fixed. The failover behavior has been improved. If no connection to the primary server can be established and a backup server instance is configured, DIGIPASS Gateway uses the backup server, and vice versa. If DIGIPASS Gateway falls back to the backup server, DIGIPASS Gateway keeps using the backup server until it becomes unreachable.
You can configure the connection timeout for each server with the OneSpan Web Configuration Tool.
Deprecated components and features, architectural changes
Supported platforms and other third-party products
DIGIPASS Gateway no longer supports the following products:
Operating systems
Ubuntu Server 16.04 LTS, 64-bit
Was this article helpful?