Version 3.22 (October 2021)

This release includes:

• OneSpan Authentication Server 3.22.4 with OneSpan Authentication Server Framework 3.18

• OneSpan Authentication Server Administration Web Interface 3.22.4

When upgrading to this version, replication between OneSpan Authentication Server Appliance instances will be disabled to avoid compatibility issues that may result from different product versions. You can enable replication after all OneSpan Authentication Server Appliance instances have been upgraded.

OneSpan Authentication Server Appliance now allows you to restrict the maximum number of assigned authenticators per user for specific authenticator types. The new authenticator limit is configured via a new policy setting (DIGIPASS Assignment > DIGIPASS Type Limit). By default, no limit is set. For single-device licensing, it is possible to limit the number of assigned authenticators; for multi-device activation/multi-device licensing the setting limits the number of assigned authenticator licenses and activated authenticator instances.

If you need to have more than one authenticator provided to your users, you should still limit the number to avoid having too many authenticators (and/or instances) assigned or activated for single users.

You can now delete authenticators via the Manage User page of the Administration Web Interface. A new DELETE button has been added to the Assigned DIGIPASS tab, which can be useful in situations where you need to delete a user's authenticator but you do not know the serial number, e.g. when a user loses their authenticator.

The administrator level of users is now included as a separate column in the User list and the Admin session list of the Administration Web Interface. In the Admin session list it indicates the administrator level of the user owning the respective administrator session. For regular users the respective value is left empty.

A new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.

The command is available in the Administration Web Interface via SERVERS > Delete Finished Tasks. It takes the age in days of the finished tasks to be deleted as parameter. All finished tasks with an end date (completion) older or equal than this value will be deleted. The command schedules a server task itself that processes the server task table. If required, the cleanup task can be configured to recur on a daily or monthly basis.

If you attempt to delete a user who owns any report, report file, or server task, or is the target of a pending operation, OneSpan Authentication Server Appliance refuses to delete it. The validation when deleting a user account has been improved. If you delete a user under the aforementioned conditions, you will receive an error message listing the number of connected objects. The respective SOAP operation now returns STAT_INUSE (–20) as status code. This information will also be shown by Web Administration Service.

If maker–checker authorization is enabled, the validation is performed twice, once before the respective pending operation is scheduled and again when it is executed after approval.

The embedded Java Runtime Environment (JRE) deployed by the Web Administration Service setup packages has been replaced. Instead of Oracle Java, Web Administration Service now uses Azul Zulu (OpenJDK).

Software libraries

OneSpan Authentication Server Appliance now includes the following (updated) third-party libraries:

• OpenSSL 1.1.1h

Description: Recently, the Apache foundation announced a number of security vulnerabilities (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Log4j2 library for Java applications, affecting all versions from 2.0-beta-9 to 2.16.0. These vulnerabilities allow attackers who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

For more information, refer to:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

• https://nvd.nist.gov/vuln/detail/CVE-2021-45105

• https://nvd.nist.gov/vuln/detail/CVE-2021-45046

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Affects: OneSpan Authentication Server Appliance 3.15.16–3.21

Status: This issue has been fixed. The affected library files have been upgraded to Log4j Core library version 2.17.0. This version of the library mitigates the remote code execution and denial-of-service attacks that could result from the vulnerabilities.

Description: Authentication via push notification fails if OneSpan Notification Gateway and Digipass Authentication for Windows Logon are used. This is because OneSpan Notification Gateway does not support the uppercase Digipass Authentication for Windows Logon correlation IDs.

Affects: OneSpan Authentication Server Appliance 3.22

Status: This issue has been fixed.Message Delivery Component now forwards the lowercase correlation ID to OneSpan Notification Gateway.

Description: Due to a faulty signal handler implementation, OneSpan Authentication Server Appliance only creates core dumps if the main process is terminated by SIGSEGV. If a specific thread is terminated by SIGSEGV, all other threads incorrectly receive SIGKILL and no core dump is generated.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.22

Status: This issue has been fixed.

Description: When performing a DNS query, the OneSpan Authentication Server service/daemon can terminate unexpectedly if the DNS response is too large.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21

Status: This issue has been fixed.

Description: SQLite performance issues affect the replication between multiple OneSpan Authentication Server Appliance instances and increase the replication backlog.

Affects: OneSpan Authentication Server Appliance 3.21

Status: This issue has been fixed.

Description: After a product upgrade to version 3.21.1, the replication backlog can significantly increase in environments with multiple OneSpan Authentication Server Appliance instances. This can cause replication between multiple product instances to fail.

Affects: OneSpan Authentication Server Appliance 3.21.1

Status: This issue was caused by and has been fixed along with issue OAS-10513.

Description: According to the OneSpan Authentication Server Appliance Administrator Reference and the Administration Web Interface Help, an administrator account expires by default after 90 days of inactivity. This information is misleading because the default setting of 90 days applies to all user accounts (not only administrator accounts).

Affects: OneSpan Authentication Server Appliance 3.17–3.21

Status: The documentation has been updated.

Description: A potential memory issue affecting administrative operations has been identified. In some environments this can lead to growing memory usage.

Especially in scenarios that involve LDAP user synchronization, OneSpan Authentication Server Appliance memory usage can grow rapidly. The consumed memory is not released after synchronization has completed.

Affects: OneSpan Authentication Server Appliance 3.17–3.21

Status: This issue has been fixed.

Description: When a user attempts an authentication via push notification (push and login) with a user account that is linked to another account, the push notification is correctly sent. Since the user and domain information in the notification is different, the request is rejected by the mobile app and the authentication process fails.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21 (Mobile app on Android devices)

Status: This issue has been fixed.

Description: When you attempt to assign an authenticator you can specify a range of serial numbers to automatically pick an authenticator from that range. However, the serial number range is incorrectly evaluated if any of the range parameters specifies either a serial number that contains alphabetic character prefixes, e.g. VDS0000001, or a number larger than 2147483648. In either case, the first authenticator found in the database is used for assignment, regardless of its serial number.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21

Status: This issue has been fixed.

Description: If Web Administration Service attempts to connect to OneSpan Authentication Server Appliance via the FQDN, but the TLS/SSL certificate for SOAP connections is issued for the IP address only (or vice versa), the connection cannot be established. You will receive an error that the certificate does not match the common name of the certificate subject.

Affects: OneSpan Authentication Server Appliance 3.21

Status: In version 3.21, the certificate handling has been improved, the host name specified in the TLS/SSL certificate is now correctly verified by Web Administration Service. The server address used to connect to the OneSpan Authentication Server Appliance instance (either IP address or FQDN) must match the common name or the subject alternative name (SAN) in the TLS/SSL certificate for SOAP connections.

The self-signed TLS/SSL certificates created by the OneSpan Authentication Server Configuration Wizard contain only the IP address in the subject alternative name (SAN). If you need to use the FQDN when establishing the connection, you have to create a certificate that contains the FQDN in the SAN.

The user documentation has been extended to explain this now correct behavior.

Description: When you create a task that should run with a daily recurrence on only one particular day of the week, the time of the next execution run is incorrectly calculated. This miscalculation causes the task to run every minute on the particular day of the week.

Status: This issue has been fixed.

Description: Dialog boxes in the Administration Web Interface are no longer opened in a separate browser window but are now displayed as an overlay on the same browser page (lightbox pop-up). Issues with pop-up blocker software will no longer occur.

Description: When you import authenticators from a DIGIPASS import file (.csv) the value of the description column is ignored and not written to the description of the authenticator record in the database.

Affects: OneSpan Authentication Server Appliance 3.21

Status: This issue has been fixed.

Description: When an organizational unit (OU) administrator attempts to move a user account from the same OU to a child OU, the command fails. An error message in the trace file incorrectly indicates that the administrator does not have access to the top-level domain, which is not required in this case anyway.

Status: This issue has been fixed.

Description: In environments with user accounts and authenticators in different organizational units (OU), provisioning using auto-assignment can fail. OneSpan Authentication Server Appliance attempts to assign the first authenticator based on the alphabetically sorted serial number, independent of the authenticator's location. If that authenticator is in an organizational unit inaccessible to the user, the assignment process will fail, although a valid authenticator is present in an accessible OU.

Affects: OneSpan Authentication Server Appliance 3.16.17–3.21

Status: This issue has been fixed.

Description: The Set Authentication Policy Overrides administrative privilege is not correctly evaluated for global administrators in some circumstances. This allows global administrators without that specific administrative privilege to modify user-specific settings and override the effective client policy settings via the USERS > Policy Overrides tab.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21

Status: This issue has been fixed.

Description: As of OneSpan Authentication Server Appliance 3.21 it is possible to upload and process a DIGIPASS import file (CSV) via the Administration Web Interface directly. To help administrators to inspect the file structure and prepare such files themselves more easily, a couple of sample files are now included on the product CD.

Description: When OneSpan Authentication Server Appliance is upgraded to a newer product version, the server policy is changed to Identikey Administration Logon.

Affects: OneSpan Authentication Server Appliance 3.20–3.21.x

Status: This issue has been fixed.

Description: When you attempt to assign an authenticator you can specify a range of serial numbers. If maker–checker authorization is enabled and the range of serial numbers contains non-existent authenticators, you get an error message that a foreign key constraint is violated. No pending operation is scheduled. A workaround is to specify a valid serial number range containing existent authenticators or to use the Search now to select DIGIPASS to assign option in the Assign DIGIPASS wizard.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21

Status: This issue has been fixed.

Description: In some circumstances, the OneSpan Authentication Server Appliance service cannot properly recover if the connection to the ODBC database is lost and the service attempts to reconnect bad nodes. This issue is indicated by an info message in the trace file: "Not attempting a reconnect, next try allowed earliest at 1969-12-31 23:59:59"

Affects: OneSpan Authentication Server Appliance 3.18–3.21

Status: This issue has been fixed.

Description: The Push Notification Getting Started Guide contains unclear information about the steps which are required to set up deployments that target the OneSpan Mobile Authenticator app. This also includes misleading information about the DIGIPASS Gateway API keys, how to configure your firewall, and which OneSpan Authentication Server client components to use.

Status: The documentation has been updated.

Description: Sorting in the Reports list does not work correctly. If you select to sort by report name, the report list is actually sorted by the internal report ID instead of the displayed report name. Sorting by any column does not take letter casing into consideration. Both can lead to incorrect and unexpected sorting results.

Status: This issue has been fixed. The Reports list is now correctly sorted by the report name and casing is handled correctly.

Description: If the log size is set to a value greater than 1 GB, log rotation will not work properly.

Affects: OneSpan Authentication Server Appliance 3.17–3.21

Status: This issue has been fixed.

Description: Scheduled tasks are not removed from the database when they are completed. This can lead to a large number of finished tasks if they are scheduled but not removed regularly. However, OneSpan Authentication Server Appliance queries the tasks once a minute to update their progress and state information. In some environments this can yield higher resource consumption after some time and lead to delayed response times, in the worst case to replication failures.

Affects: OneSpan Authentication Server Appliance 3.15.16–3.21

Status: This area of issues has been improved in several steps:

• In OneSpan Authentication Server Appliance 3.22, a new command has been added to remove old finished tasks. This allows you to clean up the task list and remove completed tasks regularly to maintain clarity and avoid performance issues with the task management.

• In OneSpan Authentication Server Appliance 3.21, the Task Management page of the Administration Web Interface has been improved to filter the task list based on search criteria for most columns and sort it by different columns.

• In OneSpan Authentication Server Appliance 3.20, the affected queries have been optimized.

Description: Deleting an administrative user account is not possible if the user is a report owner. The ownership of any affected reports needs to be changed before an administrator can be deleted. This information is missing in the OneSpan Authentication Server Appliance Administrator Guide.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21

Status: The documentation has been updated.

Description: When attempting to import user accounts via a user import file that contains lines longer than 1023 characters, the OneSpan Authentication Server service/daemon terminates ungracefully.

Affects: OneSpan Authentication Server Appliance 3.12.13–3.21

Status: This issue has been fixed.

Description: Various security improvements have been made. MariaDB does no longer listen on external interfaces. The SSL cipher suite was upgraded for the replication daemon.

Affects: OneSpan Authentication Server Appliance 3.21 and earlier

Status: Security has been improved.

Description: The minimum disk requirements mentioned in the OneSpan Authentication Server Virtual Appliance installation manuals are incorrect.

Affects: OneSpan Authentication Server Appliance 3.18–3.21

Status: The documentation has been updated.

Description: Test runs of LDAP synchronization fail if there are user names that contain special characters.

Affects: OneSpan Authentication Server Appliance 3.21

Status: This issue has been fixed.

OneSpan Authentication Server Appliance no longer supports Digipass Authentication for Windows Logon 1.x. The related features, e.g. Dynamic Component Registration (DCR) and the Identikey Windows Logon Client client component, have been removed.

OneSpan Authentication Server Appliance continues to support Digipass Authentication for Windows Logon 2.0 and later.

This section summarizes planned and upcoming changes of supported platforms and other third-party products that will become effective in future versions. You are highly encouraged to plan and modify your deployments accordingly to allow future upgrades.

Version 3.23