- 03 Oct 2024
- 8 Minutes à lire
- SombreLumière
Version 3.25 (January 2024)
- Mis à jour le 03 Oct 2024
- 8 Minutes à lire
- SombreLumière
Release information
Supported operating systems
OneSpan Authentication Server 3.25 supports the following operating systems:
Microsoft Windows
Windows Server 2022
Windows Server 2019
Windows Server 2016
Linux
CentOS 7, 64-bit (version 7.8 and later)
Red Hat Enterprise Linux (RHEL) 8, 64-bit
Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)
Ubuntu Server 20.04 LTS, 64-bit
Ubuntu Server 18.04 LTS, 64-bit
Supported ODBC databases
MariaDB 10.11.5 (included as embedded database) [NEW]
If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.
OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.
Oracle Database 19c
OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).
Microsoft SQL Server
Microsoft SQL Server 2019
Microsoft SQL Server 2017
Microsoft SQL Server 2016
Microsoft SQL Server 2014
OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, and 2014.
OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.
OneSpan Authentication Server supports the following ODBC drivers:
Microsoft ODBC Driver 17 for SQL Server
Microsoft ODBC Driver 13.1 for SQL Server
Microsoft ODBC Driver 11 for SQL Server
Supported browsers (Administration Web Interface)
The Administration Web Interface supports the following browsers:
Google Chrome
Mozilla Firefox
Microsoft Edge
The Administration Web Interface supports all browser versions currently supported by the respective vendors.
Supported web servers (Administration Web Interface)
The Administration Web Interface can be run on these web application servers (based on the respective JRE):
Apache Tomcat 9.0–9.0.82 (included) [NEW]
The included version of Apache Tomcat was updated to fix a critical security vulnerability (CVE-2023-28709).
Oracle Server Java Runtime Environment 11
Azul Zulu 11 (included)
Open Liberty (tested with 23.0.0.3-full-java11-openj9)
WebSphere Liberty (tested with 23.0.0.2-full-java11-openj9-ubi)
The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.
Other new third-party products
Software libraries
OneSpan Authentication Server now includes the following (updated) third-party libraries:
Boost C++ libraries 1.83.0 [NEW]
cURL 8.4.0 [NEW]
This version of cURL fixes a couple of security vulnerabilities, including CVE-2023-38545 and CVE-2023-38546.
gSOAP 2.8.129 [NEW]
libxml2 2.11.5 [NEW]
libxslt 1.1.38 [NEW]
OpenSSL 3.0.9 [NEW]
This version is a major upgrade and introduces breaking changes that can affect both new and existing installations.
If any of your certificates were generated using an older version of OpenSSL, you might experience validation problems. In this case, regenerating the affected certificates using the bundled OpenSSL version should resolve the issues.SQLite 3.43.2 [NEW]
wxWidgets 3.2.2.1 [NEW]
Administration Web Interface now includes the following (updated) third-party libraries:
FasterXML/jackson-databind 2.15.2 [NEW]
This version of FasterXML/jackson-databind fixes a couple of security vulnerabilities, including CVE-2023-35116 and CVE-2021-46877.
Utilities
OneSpan Authentication Server now requires the following products to be installed:
On Windows: Net-SNMP 5.9.4 (included) [NEW]
On supported Linux environments, install the Net-SNMP version that comes with your Linux distribution.
OneSpan authentication platform
OneSpan Authentication Server 3.25 integrates and uses OneSpan Authentication Server Framework 3.22.
Upgrade path
OneSpan Authentication Server supports direct upgrades from 3.18 or 3.24 to version 3.25 on the supported operating systems.
New features and enhancements
TLS 1.3 support
OneSpan Authentication Server now fully supports TLSv1.3. As a consequence, the provided cipher suite security levels have been adapted:
TLSv1.3 is now supported on all cipher suite security levels.
The following TLSv1.3 cipher suites were added:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLSv1 and TLSv1.1 are only supported on security level MEDIUM, LOW, and CUSTOM anymore.
SSL is no longer supported.
Single line audit messages in Linux syslog
By default, OneSpan Authentication Server audit messages are written across multiple lines in the Linux system logger (syslog) for better readability if applicable. For instance, if an audit message includes several output details, each output field is written to a new line.
You can now determine the syslog format with the Allow-Newlines option in the OneSpan Authentication Server configuration file. By default, this value is not set in the configuration file (audit messages are wrapped across multiple lines).
Fixes and other updates
Issue CVE-2023-48795: SSH Terrapin prefix truncation weakness
Description: The SSH implementation used by OneSpan Authentication Server Appliance allows remote attackers to bypass integrity checks so that a client and server can end up with a connection for which some security features have been downgraded or disabled. This issue is referred to as Terrapin attack.
For more information, refer to https://nvd.nist.gov/vuln/detail/CVE-2023-48795.
Status: This issue has been fixed.
Issue OAS-20965: Vulnerability in Apache Struts (Web Administration Service)
Description: A number of vulnerabilities in the Apache Struts framework can lead to remote code execution and denial-of-service issues:
CVE-2023-50164:
CVE-2023-41835
CVE-2023-34396
CVE-2023-34149
Affects: OneSpan Authentication Server 3.18–3.24
Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.33.
Issue OAS-20042: New HTTP error pages (Web Administration Service)
Description: The default Apache Tomcat HTTP error pages for the Web Administration Service have been replaced with static error pages to mask information about the web server.
Issue OAS-19890: Misleading UI text in wizards (Web Administration Service)
Description: The Delete Audit Data wizard and the Delete Finished Tasks wizard allow you to delete old audit data and finished tasks. In the first step of each wizard you specify the maximum age of data that you want to keep. The descriptive UI text about the data that is being kept can be misleading for some readers.
Affects: OneSpan Authentication Server 3.18–3.24
Status: This issue has been fixed. The respective UI text has been revised to be less ambiguous.
Issue OAS-19617 (Support case CS0132820): Authentication failures during HSM key rotation
Description: In environments that use a hardware security module (HSM), an HSM key rotation can lead to authentication failures. The root cause are some HSM-related operations that use an incorrect storage key to decrypt BLOB data. During an HSM key rotation, this leads to authentication failures.
Affects: OneSpan Authentication Server 3.11–3.24 (using HSM)
Status: This issue has been fixed. The affected operations have been fixed to use the correct storage key.
Issue OAS-19582: Invalid email address blocks SMTP connection pool (Message Delivery Component)
Description: The Message Delivery Component (MDC) server uses separate connection pools to each gateway node to handle multiple message deliveries concurrently. If MDC cannot send an email message because the email address that is specified in the user account is invalid, it blocks the connection pool of the respective SMTP gateway node for 10 seconds. In that case, MDC returns an incorrect status that the connection is still in use.
Affects: OneSpan Authentication Server 3.18–3.24
Status: This issue has been fixed. The connection logic has been improved, and a different status is now returned by MDC in case of invalid email addresses.
Issue OAS-19428: OneSpan Authentication Server service blocked by antivirus software
Description: Under some circumstances, the OneSpan Authentication Server service is falsely identified as malware and blocked by certain antivirus applications.
Status: Third-party antivirus and antimalware software can interfere with OneSpan Authentication Server and prevent it from working correctly. To prevent issues, OneSpan Authentication Server should be added to the exclusion list of the interfering antivirus software.
The documentation was extended to include respective information.
Issue OAS-19063: Storage key cannot be created (Web Administration Service)
Description: When attempting to create a new storage key with a hardware security module (HSM), Web Administration Service cannot complete the operation and displays an "Invalid key label" message.
Affects: OneSpan Authentication Server with HSM
Status: This issue has been fixed.
Issue OAS-17838: Insufficient error description (Message Delivery Component)
Description: The Message Delivery Component (MDC) service uses cURL for data transfer operations. In some cases when an error occurs, e.g. if the used certificate is invalid, the log information is too vague and suppresses useful information about the root cause of the error.
Status: This issue has been fixed. The handling of cURL-related messages has been improved to make error investigation easier without revealing security-relevant information.
Issue OAS-17224: Incorrect handling of default policy setting
Description: The default value handling of the Static Password > Not Based on User ID policy setting is incorrect. If you create a new policy based on an existing policy where Static Password > Not Based on User ID is not set, and set the policy setting to Default in the new policy, the effective policy will also be Default, which is invalid.
Affects: OneSpan Authentication Server 3.18–3.24
Status: This issue has been fixed. If the Static Password > Not Based on User ID policy setting is set neither in the applied policy nor in any of its base policies, OneSpan Authentication Server uses No as the built-in default value.
Issue OAS-16101: Pending operation data accessed by database operations although maker–checker authorization is disabled
Description: Some operations, e.g. those that include authenticator searches, query the pending operation data from the database even if maker–checker authorization is disabled. Although the vdsPendingOperation table is empty in that case, it is unnecessarily included in the underlying database operations, which negatively impacts the server performance.
Affects: OneSpan Authentication Server 3.18–3.24
Status: This issue has been fixed. The affected operations have been improved to exclude pending operation data if maker–checker authorization is disabled.
Issue OAS-15866 (Support case CS0110759): Upgrade error on Red Hat Enterprise Linux
Description: When you attempt to upgrade OneSpan Authentication Server on Red Hat Enterprise Linux 7.9 using the upgrade script, the platform detection logic does not work as expected. The upgrade script terminates with a "Cannot compare system major version! This operating system is not supported." message.
Affects: OneSpan Authentication Server 3.23–3.24 (on Red Hat Enterprise Linux)
Status: This issue has been fixed. The platform detection logic has been improved for all supported distributions. Furthermore, the installation script does no longer depend or require the Linux Standard Base (LSB) packages to be installed.
Issue OAS-9881 (Support case CS0070514): Incorrect display of warnings and errors in Event Viewer
Description: OneSpan Authentication Server audit messages of type Warning and Error are automatically added to the Windows application event log with event ID 0. When you view the details for such event entries, the information is not correctly displayed and includes a "The description for Event ID 0 from source Identikey Server {Application} cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer." message.
Affects: OneSpan Authentication Server 3.19–3.24 (on Windows)
Status: This issue has been fixed. The event entries are now properly displayed. Furthermore, new events are logged with event ID 256.
Deprecated components and features
Active Directory data stores (Removed)
The possibility to use Active Directory as the data store has been completely removed. You can no longer select this option for new installations or upgrade existing deployments with Active Directory as data store!
You will still be able to use Active Directory for other supported purposes, such as back-end authentication, or password and data synchronization.
If you still use AD as data store, you need to upgrade to OneSpan Authentication Server 3.24 and use Data Migration Tool 3.24 to migrate to an ODBC-based data store, before you can upgrade to OneSpan Authentication Server 3.25!
Supported platforms, data management systems, and other third-party products
Operating systems
Windows Server 2012 R2
Windows Server 2012
Data management systems
Microsoft SQL Server 2012 Service Pack 4
Oracle Database 18c
Oracle Database 12c