Version 3.25 (January 2024)
  • 03 Oct 2024
  • 8 Minutes à lire
  • Sombre
    Lumière

Version 3.25 (January 2024)

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

Release information

Supported operating systems

OneSpan Authentication Server 3.25 supports the following operating systems:

Microsoft Windows

  • Windows Server 2022

  • Windows Server 2019

  • Windows Server 2016

Linux

  • CentOS 7, 64-bit (version 7.8 and later)

  • Red Hat Enterprise Linux (RHEL) 8, 64-bit

  • Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)

  • Ubuntu Server 20.04 LTS, 64-bit

  • Ubuntu Server 18.04 LTS, 64-bit

Supported ODBC databases

  • MariaDB 10.11.5 (included as embedded database) [NEW]

    If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.

    OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

  • Oracle Database 19c

    OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

  • Microsoft SQL Server

    • Microsoft SQL Server 2019

    • Microsoft SQL Server 2017

    • Microsoft SQL Server 2016

    • Microsoft SQL Server 2014

    OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, and 2014.

    OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

    OneSpan Authentication Server supports the following ODBC drivers:

    • Microsoft ODBC Driver 17 for SQL Server

    • Microsoft ODBC Driver 13.1 for SQL Server

    • Microsoft ODBC Driver 11 for SQL Server

Supported browsers (Administration Web Interface)

The Administration Web Interface supports the following browsers:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

Supported web servers (Administration Web Interface)

The Administration Web Interface can be run on these web application servers (based on the respective JRE):

  • Apache Tomcat 9.0–9.0.82 (included) [NEW]

    The included version of Apache Tomcat was updated to fix a critical security vulnerability (CVE-2023-28709).

    • Oracle Server Java Runtime Environment 11

    • Azul Zulu 11 (included)

  • Open Liberty (tested with 23.0.0.3-full-java11-openj9)

  • WebSphere Liberty (tested with 23.0.0.2-full-java11-openj9-ubi)

The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.

Other new third-party products

Software libraries

OneSpan Authentication Server now includes the following (updated) third-party libraries:

  • Boost C++ libraries 1.83.0 [NEW]

  • cURL 8.4.0 [NEW]

    This version of cURL fixes a couple of security vulnerabilities, including CVE-2023-38545 and CVE-2023-38546.

  • gSOAP 2.8.129 [NEW]

  • libxml2 2.11.5 [NEW]

  • libxslt 1.1.38 [NEW]

  • OpenSSL 3.0.9 [NEW]

    This version is a major upgrade and introduces breaking changes that can affect both new and existing installations.
    If any of your certificates were generated using an older version of OpenSSL, you might experience validation problems. In this case, regenerating the affected certificates using the bundled OpenSSL version should resolve the issues.

  • SQLite 3.43.2 [NEW]

  • wxWidgets 3.2.2.1 [NEW]

Administration Web Interface now includes the following (updated) third-party libraries:

  • FasterXML/jackson-databind 2.15.2 [NEW]

    This version of FasterXML/jackson-databind fixes a couple of security vulnerabilities, including CVE-2023-35116 and CVE-2021-46877.

Utilities

OneSpan Authentication Server now requires the following products to be installed:

  • On Windows: Net-SNMP 5.9.4 (included) [NEW]

  • On supported Linux environments, install the Net-SNMP version that comes with your Linux distribution.

OneSpan authentication platform

OneSpan Authentication Server 3.25 integrates and uses OneSpan Authentication Server Framework 3.22.

Upgrade path

OneSpan Authentication Server supports direct upgrades from 3.18 or 3.24 to version 3.25 on the supported operating systems.

New features and enhancements

TLS 1.3 support

OneSpan Authentication Server now fully supports TLSv1.3. As a consequence, the provided cipher suite security levels have been adapted:

  • TLSv1.3 is now supported on all cipher suite security levels.

  • The following TLSv1.3 cipher suites were added:

    • TLS_AES_256_GCM_SHA384

    • TLS_CHACHA20_POLY1305_SHA256

    • TLS_AES_128_GCM_SHA256

  • TLSv1 and TLSv1.1 are only supported on security level MEDIUM, LOW, and CUSTOM anymore.

  • SSL is no longer supported.

Single line audit messages in Linux syslog

By default, OneSpan Authentication Server audit messages are written across multiple lines in the Linux system logger (syslog) for better readability if applicable. For instance, if an audit message includes several output details, each output field is written to a new line.

You can now determine the syslog format with the Allow-Newlines option in the OneSpan Authentication Server configuration file. By default, this value is not set in the configuration file (audit messages are wrapped across multiple lines).

Fixes and other updates

Issue CVE-2023-48795: SSH Terrapin prefix truncation weakness

Description: The SSH implementation used by OneSpan Authentication Server Appliance allows remote attackers to bypass integrity checks so that a client and server can end up with a connection for which some security features have been downgraded or disabled. This issue is referred to as Terrapin attack.

For more information, refer to https://nvd.nist.gov/vuln/detail/CVE-2023-48795.

Status: This issue has been fixed.

Issue OAS-20965: Vulnerability in Apache Struts (Web Administration Service)

Description: A number of vulnerabilities in the Apache Struts framework can lead to remote code execution and denial-of-service issues:

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.33.

Issue OAS-20042: New HTTP error pages (Web Administration Service)

Description: The default Apache Tomcat HTTP error pages for the Web Administration Service have been replaced with static error pages to mask information about the web server.

Issue OAS-19890: Misleading UI text in wizards (Web Administration Service)

Description: The Delete Audit Data wizard and the Delete Finished Tasks wizard allow you to delete old audit data and finished tasks. In the first step of each wizard you specify the maximum age of data that you want to keep. The descriptive UI text about the data that is being kept can be misleading for some readers.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. The respective UI text has been revised to be less ambiguous.

Issue OAS-19617 (Support case CS0132820): Authentication failures during HSM key rotation

Description: In environments that use a hardware security module (HSM), an HSM key rotation can lead to authentication failures. The root cause are some HSM-related operations that use an incorrect storage key to decrypt BLOB data. During an HSM key rotation, this leads to authentication failures.

Affects: OneSpan Authentication Server 3.11–3.24 (using HSM)

Status: This issue has been fixed. The affected operations have been fixed to use the correct storage key.

Issue OAS-19582: Invalid email address blocks SMTP connection pool (Message Delivery Component)

Description: The Message Delivery Component (MDC) server uses separate connection pools to each gateway node to handle multiple message deliveries concurrently. If MDC cannot send an email message because the email address that is specified in the user account is invalid, it blocks the connection pool of the respective SMTP gateway node for 10 seconds. In that case, MDC returns an incorrect status that the connection is still in use.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. The connection logic has been improved, and a different status is now returned by MDC in case of invalid email addresses.

Issue OAS-19428: OneSpan Authentication Server service blocked by antivirus software

Description: Under some circumstances, the OneSpan Authentication Server service is falsely identified as malware and blocked by certain antivirus applications.

Status: Third-party antivirus and antimalware software can interfere with OneSpan Authentication Server and prevent it from working correctly. To prevent issues, OneSpan Authentication Server should be added to the exclusion list of the interfering antivirus software.

The documentation was extended to include respective information.

Issue OAS-19063: Storage key cannot be created (Web Administration Service)

Description: When attempting to create a new storage key with a hardware security module (HSM), Web Administration Service cannot complete the operation and displays an "Invalid key label" message.

Affects: OneSpan Authentication Server with HSM

Status: This issue has been fixed.

Issue OAS-17838: Insufficient error description (Message Delivery Component)

Description: The Message Delivery Component (MDC) service uses cURL for data transfer operations. In some cases when an error occurs, e.g. if the used certificate is invalid, the log information is too vague and suppresses useful information about the root cause of the error.

Status: This issue has been fixed. The handling of cURL-related messages has been improved to make error investigation easier without revealing security-relevant information.

Issue OAS-17224: Incorrect handling of default policy setting

Description: The default value handling of the Static Password > Not Based on User ID policy setting is incorrect. If you create a new policy based on an existing policy where Static Password > Not Based on User ID is not set, and set the policy setting to Default in the new policy, the effective policy will also be Default, which is invalid.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. If the Static Password > Not Based on User ID policy setting is set neither in the applied policy nor in any of its base policies, OneSpan Authentication Server uses No as the built-in default value.

Issue OAS-16101: Pending operation data accessed by database operations although maker–checker authorization is disabled

Description: Some operations, e.g. those that include authenticator searches, query the pending operation data from the database even if maker–checker authorization is disabled. Although the vdsPendingOperation table is empty in that case, it is unnecessarily included in the underlying database operations, which negatively impacts the server performance.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. The affected operations have been improved to exclude pending operation data if maker–checker authorization is disabled.

Issue OAS-15866 (Support case CS0110759): Upgrade error on Red Hat Enterprise Linux

Description: When you attempt to upgrade OneSpan Authentication Server on Red Hat Enterprise Linux 7.9 using the upgrade script, the platform detection logic does not work as expected. The upgrade script terminates with a "Cannot compare system major version! This operating system is not supported." message.

Affects: OneSpan Authentication Server 3.23–3.24 (on Red Hat Enterprise Linux)

Status: This issue has been fixed. The platform detection logic has been improved for all supported distributions. Furthermore, the installation script does no longer depend or require the Linux Standard Base (LSB) packages to be installed.

Issue OAS-9881 (Support case CS0070514): Incorrect display of warnings and errors in Event Viewer

Description: OneSpan Authentication Server audit messages of type Warning and Error are automatically added to the Windows application event log with event ID 0. When you view the details for such event entries, the information is not correctly displayed and includes a "The description for Event ID 0 from source Identikey Server {Application} cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer." message.

Affects: OneSpan Authentication Server 3.19–3.24 (on Windows)

Status: This issue has been fixed. The event entries are now properly displayed. Furthermore, new events are logged with event ID 256.

Deprecated components and features

Active Directory data stores (Removed)

The possibility to use Active Directory as the data store has been completely removed. You can no longer select this option for new installations or upgrade existing deployments with Active Directory as data store!

You will still be able to use Active Directory for other supported purposes, such as back-end authentication, or password and data synchronization.

If you still use AD as data store, you need to upgrade to OneSpan Authentication Server 3.24 and use Data Migration Tool 3.24 to migrate to an ODBC-based data store, before you can upgrade to OneSpan Authentication Server 3.25!

Supported platforms, data management systems, and other third-party products

Operating systems

  • Windows Server 2012 R2

  • Windows Server 2012

Data management systems

  • Microsoft SQL Server 2012 Service Pack 4

  • Oracle Database 18c

  • Oracle Database 12c


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle