Version 3.25 (January 2024)

Description: The SSH implementation used by OneSpan Authentication Server Appliance allows remote attackers to bypass integrity checks so that a client and server can end up with a connection for which some security features have been downgraded or disabled. This issue is referred to as Terrapin attack.

For more information, refer to https://nvd.nist.gov/vuln/detail/CVE-2023-48795.

Status: This issue has been fixed.

Description: A number of vulnerabilities in the Apache Struts framework can lead to remote code execution and denial-of-service issues:

• CVE-2023-50164:

  • https://cwiki.apache.org/confluence/display/WW/S2-066

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164

• CVE-2023-41835

  • https://cwiki.apache.org/confluence/display/WW/S2-065

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41835

• CVE-2023-34396

  • https://cwiki.apache.org/confluence/display/WW/S2-064

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34396

• CVE-2023-34149

  • https://cwiki.apache.org/confluence/display/WW/S2-063

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34149

Affects: OneSpan Authentication Server Appliance 3.18.xx–3.24

Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.33.

Description: The default Apache Tomcat HTTP error pages for the Web Administration Service have been replaced with static error pages to mask information about the web server.

Description: The Delete Audit Data wizard and the Delete Finished Tasks wizard allow you to delete old audit data and finished tasks. In the first step of each wizard you specify the maximum age of data that you want to keep. The descriptive UI text about the data that is being kept can be misleading for some readers.

Affects: OneSpan Authentication Server Appliance 3.18–3.24

Status: This issue has been fixed. The respective UI text has been revised to be less ambiguous.

Description: In environments that use a hardware security module (HSM), an HSM key rotation can lead to authentication failures. The root cause are some HSM-related operations that use an incorrect storage key to decrypt BLOB data. During an HSM key rotation, this leads to authentication failures.

Affects: OneSpan Authentication Server Appliance 3.11–3.24 (using HSM)

Status: This issue has been fixed. The affected operations have been fixed to use the correct storage key.

Description: The Message Delivery Component (MDC) server uses separate connection pools to each gateway node to handle multiple message deliveries concurrently. If MDC cannot send an email message because the email address that is specified in the user account is invalid, it blocks the connection pool of the respective SMTP gateway node for 10 seconds. In that case, MDC returns an incorrect status that the connection is still in use.

Affects: OneSpan Authentication Server Appliance 3.18–3.24

Status: This issue has been fixed. The connection logic has been improved, and a different status is now returned by MDC in case of invalid email addresses.

Description: When attempting to create a new storage key with a hardware security module (HSM), Web Administration Service cannot complete the operation and displays an "Invalid key label" message.

Affects: OneSpan Authentication Server Appliance with HSM

Status: This issue has been fixed.

Description: The Message Delivery Component (MDC) service uses cURL for data transfer operations. In some cases when an error occurs, e.g. if the used certificate is invalid, the log information is too vague and suppresses useful information about the root cause of the error.

Status: This issue has been fixed. The handling of cURL-related messages has been improved to make error investigation easier without revealing security-relevant information.

Description: The default value handling of the Static Password > Not Based on User ID policy setting is incorrect. If you create a new policy based on an existing policy where Static Password > Not Based on User ID is not set, and set the policy setting to Default in the new policy, the effective policy will also be Default, which is invalid.

Affects: OneSpan Authentication Server Appliance 3.18–3.24

Status: This issue has been fixed. If the Static Password > Not Based on User ID policy setting is set neither in the applied policy nor in any of its base policies, OneSpan Authentication Server uses No as the built-in default value.

Description: Administrative sessions in the OneSpan Authentication Server Administration Web Interface can be limited to expire after a maximum session time (via Global Configuration > Session Management > Max. Session Time). On OneSpan Authentication Server Appliance, administrative sessions time out after around 45 minutes, regardless of the configure maximum session time.

Affects: OneSpan Authentication Server Appliance 3.24

Status: This issue has been fixed.