Version 3.23 (July 2022)

This release includes:

• OneSpan Authentication Server 3.23.1 with OneSpan Authentication Server Framework 3.18

• OneSpan Authentication Server Administration Web Interface 3.23.1

When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.

You can upgrade to OneSpan Authentication Server Appliance 3.23 from the following product versions:

• OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance 3.22.2

• OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance 3.22.1

• OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance 3.22.0

In previous versions, when you attempted to delete a user account the operation failed if the target user account had items assigned that cannot be deleted and prevented the deletion, e.g. reports, recurring tasks, or pending operations (maker or checker role).

To delete such user accounts anyway, you can now specify a successor user that will take ownership of those items. The successor must be an administrative user account in the same domain as the user to be deleted.

As maker administrator, you can now specify an auto-execute option when scheduling a pending operation that requires maker–checker authorization. The pending operation is automatically executed on your behalf upon approval by the checker administrator. In that case, you do not need to execute it explicitly.

If maker–checker authorization is enabled when you attempt to delete an authenticator, the Administration Web Interface now verifies whether the authenticator is referenced in a pending operation:

• If it is explicitly referenced as the only target authenticator in a pending operation, you cannot delete it and will receive a respective error message.

• If the authenticator is referenced in a pending operation, either explicitly as part of an authenticator list or as range parameter or implicitly within a range, you will receive a warning message and need to confirm the deletion of the authenticator.

The server data migration process has been enhanced and optimized to improve the workflow and overall performance:

• Table-based data schema version. Unlike in previous versions where the data schema version applied to the whole database, OneSpan Authentication Server Appliance now tracks the data schema version for each database table individually. This means that the data schema version of a particular table is not changed, unless there are effective changes in the table data schema. If the table data schema has not changed, the table is skipped from the server data migration. This reduces the amount of processed data and speeds up the server data migration process.

• Optimized migration sequence. The order of the tables processed by the data migration task has been optimized. Admin-related tables are migrated first to minimize overhead on administrative commands while server data migration is still in progress. On the other hand, tables that usually contain large amount of data are migrated last, e.g. users, authenticators, and authenticator applications.

• Meaningful data migration task description. The data migration task description now contains the target schema version to better distinguish multiple data migration tasks.

OneSpan Authentication Server Appliance provides a new policy setting (Use Generic Authentication Status Codes) that specifies whether certain status codes and messages should be mapped to generic status information in server responses, to prevent user account disclosure in authentication and provisioning scenarios. The real status code and message will still be visible in the audit and trace messages.

If enabled, the following status codes will be mapped to 1000 (STAT_INVCREDENTIALS), even if more specific status information is available:

• 1007

• 1009

• 1010

• 1011

• 1012

• 1023

• 1025

• 1033

• 1045

By default, the new policy setting is disabled for parentless policies.

OneSpan Authentication Server Appliance now includes a new workflow for push–notification-based authentication when the Active Directory password has expired. This workflow applies if back-end authentication is configured along with push–notification-based authentication.

With this setup, if a user's Active Directory password has expired, the user will first receive a push notification message for the first authentication step. After the user has authenticated via this message, they will be notified about the expiration of the Active Directory password and prompted to change the password. When the password has been changed, the authentication process is successfully completed.

Description: If an administrator without the View Admin Session privilege attempts to view the session management settings via the SERVERS > Session Management > Settings tab, a respective error message will be displayed and access to the page is denied. The same administrator can, however, circumvent the privilege check by accessing the page directly via the URL.

Status: This issue has been fixed. In addition, the following improvements have been implemented for the administrative privilege configuration:

• In previous versions, the existing View Back-End Settings and Update Back-End Settings privileges misleadingly determined the access to the global configuration settings. These privileges have now been renamed to View Global Configuration Options and Set Global Configuration Options, respectively, to align with their actual meaning. In addition, they have been moved to the Configuration section on the USERS > Admin Privileges tab, together with the View Server Configuration Options and Set Server Configuration Options privileges.

• The global configuration settings have been consolidated. The SERVERS > Session Management > Settings tab was moved to the SERVERS > Global Configuration > Session Management tab. The BACK-END > Global Settings tab was moved to the SERVERS > Global Configuration > Back-End Servers tab.

• Since the session management settings are global settings, they are now correctly available only if the administrator has the View Global Configuration Options privilege.

Description: If a user authenticates via Digipass Authentication for Windows Logon using an authenticator of a linked user account that is in a different domain, OneSpan Authentication Server Appliance does not send offline authentication data (OAD) to the client.

Status: This issue has been fixed.

Description: Users who have the domain name in their user ID can experience authentication issues because OneSpan Authentication Server Appliance uses the corresponding part of the user ID as the domain name.

Status: To prevent this issue, users with the domain name in their user ID need to also provide the domain when logging in. This information has been added to the OneSpan Authentication Server Appliance Administrator Guide.

Description: As of OneSpan Authentication Server Appliance 3.23, SOAP is by default enabled in all licenses. If your license was created prior to this product version, you can contact OneSpan Support and request a free license upgrade.

Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The fix provided in 2.17.0 included another security vulnerability (CVE-2021-44832) that allows remote code execution (RCE) attacks where attackers can construct malicious configurations using a JDBC Appender. This vulnerability is difficult to exploit and considered non-criticial for Web Administration Service.

For more information, refer to:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

• https://nvd.nist.gov/vuln/detail/CVE-2021-45105

• https://nvd.nist.gov/vuln/detail/CVE-2021-45046

• https://nvd.nist.gov/vuln/detail/CVE-2021-44832

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Affects: OneSpan Authentication Server Appliance 3.15.16–3.22

Status: These issues have been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.1. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.

Note that a hotfix (including Apache Log4j 2.17.0) for the affected versions of Web Administration Service to fix the CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 vulnerabilities was released on December 21, 2021. For more information, refer to https://www.onespan.com/remote-code-execution-vulnerability-in-log4j2-cve-2021-44228.

Description: SNMP endpoints are no longer accessible after an OneSpan Authentication Server Appliance upgrade from version 3.18.

Affects: OneSpan Authentication Server Appliance 3.19–3.22

Status: This issue has been fixed.

Description: Authentication via push notification fails if OneSpan Notification Gateway and Digipass Authentication for Windows Logon are used. This is because OneSpan Notification Gateway does not support the uppercase Digipass Authentication for Windows Logon correlation IDs.

Affects: OneSpan Authentication Server Appliance 3.22

Status: This issue has been fixed. Message Delivery Component now forwards the lowercase correlation ID to OneSpan Notification Gateway.

Description: Due to a faulty signal handler implementation, OneSpan Authentication Server Appliance only creates core dumps if the main process is terminated by SIGSEGV. If a specific thread is terminated by SIGSEGV, all other threads incorrectly receive SIGKILL and no core dump is generated.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.22

Status: This issue has been fixed.

Description: Under some circumstances (particularly in slow environments), multiple multi-device licensing (MDL) registration requests that are processed almost at the same time can yield errors because auto-assignment attempts to use the same authenticator for more that one request. In that case, the user receives an error that the authenticator is already assigned and needs to retry the registration.

Affects:  OneSpan Authentication Server Appliance 3.12.13–3.22

Status: This issue has been fixed. The MDL registration process has been refactored and now uses correct authenticator selection/assigment logic (randomly select an authenticator and lock the respective authenticator record).

Description: When performing a DNS query, the OneSpan Authentication Server service/daemon can terminate unexpectedly if the DNS response is too large.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.22

Status: This issue has been fixed.

Description: The list of OneSpan Authentication Server Framework (formerly VACMAN Controller) error codes in the OneSpan Authentication Server Appliance Administrator Reference is incomplete. Error code 1119 (Unsupported Payload Key Blob) is missing.

Status: The documentation has been updated.

Description: If you want to select an organizational unit (OU) from a list, e.g. when moving/renaming a user account via the Move Users wizard, only the first 1000 OUs are listed, even if there are more defined in the organizational structure.

Affects: OneSpan Authentication Server Appliance 3.21–3.22

Status: This issue has been fixed.

Description: The Copy Admin Privileges From wizard copies administrative privileges from one user account to another. If the target user account has privileges assigned that the source user account does not have, then the target user account will lose those privileges. If you select a non-administrative user account to copy the privileges from by mistake, the target user account will lose all privileges.

Status: The wizard behavior has been changed. You cannot select non-administrative user accounts to copy privileges from anymore.

Description: If an administrator has finished or scheduled tasks assigned, it is not possible to delete the administrator's user account.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.22

Status: This issue has been fixed. It is now possible to specify a successor user who will take ownership of the items assigned to the user account to be deleted. For instructions to delete a user account, refer to the Administration Web Interface Help.

Description: If replication between multiple OneSpan Authentication Server Appliance instances is not possible, the specified maximum file size for Replication.DB is ignored, and the replication queue will exceed the limit and continue to grow.

Affects: OneSpan Authentication Server Appliance 3.18–3.22

Status: This issue has been fixed.  If you want to receive warning emails when the replication queue size exceeds a specified threshold, contact OneSpan support.

Description: In environments where the persistent cache table is highly fragmented, e.g. due to inadequate database maintenance, system load can increase significantly, thus leading to reduced database performance or even service outage.

Status: This issue has been fixed. The database indexes for the persistent cache have been reviewed and optimized.

Description: If SFTP backup is configured, it stores a fingerprint from the server to which backups are written. OneSpan Authentication Server Appliance has been updated to use a more secure fingerprint.

The SFTP fingerprint will be automatically updated. Verify the change by checking your automatic SFTP backups.

Affects: OneSpan Authentication Server Appliance 3.22 and earlier

Description: On the 31st of the month, errors related to audit copy appear in the logs. These errors self-correct on the 1st of the following month and can be ignored.

Affects: OneSpan Authentication Server Appliance 3.22

Status: This issue has been fixed.