Version 3.26 (September 2024)

Description: In environments that use the Linux system logger (syslog) for auditing, some audit messages are truncated after the Reason field, and any following data (fields) of the same audit message are not written to the log.

Affects: OneSpan Authentication Server Appliance 3.25

Status: This issue has been fixed.

Description: The default administration session parameters that are used by OneSpan Authentication Server Appliance may be too restrictive and cause issues in some environments.

For instance, the maximum number of concurrent administrative sessions is 20 by default. In a scenario that include a couple of automation components and/or help desk members working at the same time, this might not be enough and, in the worst case, prevent other administrative users from connecting via the Administration Web Interface.

Status: The following administration session parameters have been revised to use more reliable and more performant default values:

• Maximum number of concurrent administrative sessions (200)

• Minimum session read interval (30)

• Minimum session update interval (60)

If you upgrade an existing deployment, the respective parameters will be updated by the data migration task, unless you have manually changed the previous default values. In that case, the existing parameter values will remain unchanged.

Description: In OneSpan Authentication Server 3.25, the OpenSSL library was updated to 3.0.9. This update influenced the resulting cipher lists.

While the cipher suite security levels define rules which protocols, protocol versions, and algorithms are allowed for a specific level, the resulting cipher lists depend on the OpenSSL library. This means that even if a higher cipher suite level defines stricter rules than a lower one, the applicable ciphers may be the same.

For instance, Very High is stricter than High, but effectively both levels allow the same ciphers. In that case, it does not make a difference, which cipher suite security level you select. The documentation does not explicitly explain that, which can cause confusion for readers.

Affects: OneSpan Authentication Server Appliance 3.25

Status: The documentation has been updated.

Description: When a service user executes a SOAP operation with the correct API key once, subsequent SOAP calls within the same session will accept any API key, even a wrong one.

This issue occurs only if the API key is specified in the SOAP body. It does not occur if the API key is provided via the HTTP header.

Affects: OneSpan Authentication Server Appliance 3.19–3.25

Status: This issue has been fixed. The API key is now correctly cleared and verified for every SOAP call.

Description: In version 3.17, the mechanism for static password policy rules was changed: now always the password rules that are configured via the policy associated with the server component are evaluated in order that they apply to all users independent of the used client. Different password strength rules can be applied for administrators and regular users via the policy inheritance.

In some cases when the password of an administrative user is changed, the effective policy of the client component is used (instead of the server component).

Affects: OneSpan Authentication Server Appliance 3.17–3.25

Status: This issue has been fixed.

Description: Including a URL with %20-encoded whitespaces in custom email message templates, e.g. for offline activation data, can cause an issue when sending a message. The issue causes the MDC service to stop unexpectedly and OneSpan Authentication Server audits an F‑001003 error message ("A communications error occurred (Error executing the MDC server command)").

Affects: OneSpan Authentication Server Appliance 3.24–3.25

Status: This issue has been fixed.

Description: When an administrator selects multiple users who have each at least one authenticator instance assigned, and clicks UNASSIGN DIGIPASS in the USERS >List tab, the Administration Web Interface displays an error after processing the first user account that it cannot unassign the user. The error message is incorrect and misleading, because the authenticator and the authenticator instance have been unassigned from the first user account before the operation was canceled.

This issue only occurs in the USERS > List tab, unassigning multiple authenticator (licenses) in the DIGIPASS > List tab succeeds.

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed.

Description: When OneSpan Authentication Server attempts back-end authentication for a user with an at sign ('@') character in the user ID, the operation behaves incorrectly if (a) the domain after the '@' does not exist and (b) a valid default domain is specified in the policy.

Consider the following example: user@invalid_domain. During user name translation, OneSpan Authentication Server correctly detects that invalid_domain is not a valid domain. In that case, it considers user@invalid_domain as the user ID and falls back to the specified default domain defined in the policy. Later, during back-end authentication, OneSpan Authentication Server splits the user ID again and uses user only as the user ID.

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed.

Description: To prevent data loss, OneSpan Authentication Server should stop processing incoming authentication and administration requests if the replication queue exceeds the maximum size.

An issue in the error handling of the authentication operation can prevent this, further authentication requests are processed and even return success or an Access-Accept reply (in case of RADIUS).

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed. The error handling for replication was improved for SOAP and RADIUS authentication requests.

Description: OneSpan Authentication Server includes an HTTP header in each SOAP response that identifies the service as IAS, i.e. "Server: IAS". Although this header is not a security concern by itself, it may disclose unwanted information to potential attackers.

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed. The HTTP header was completely removed and is no longer returned in server responses.

Description: Unassigning an authenticator or moving a user account with assigned authenticators while certain other operations are in progress can corrupt the authenticator BLOB data. This issue can happen rarely, it requires another operation that changes the BLOB data, e.g. generating a virtual signature, almost concurrently as the unassign or move operation..

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed. The update query was improved, the unassign or move operation will fail with a "Database update failed attempting to update a digipass application record" error message, but the BLOB data will remain correct.

Description: The user lock count tracks the number of consecutive unsuccessful authentication attempts. However, there are some cases where OneSpan Authentication Server Appliance incorrectly increases the user lock count due to wrong configuration or technical issues. For example, if a user attempts a push notification–based authentication, but the PNID is missing or invalid.

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed. The user lock count only increases if a wrong OTP or password was used for an authentication or signature validation request.

Description: In some environments where more than one signature authenticator application is used, the signature validation operation may use an incorrect authenticator application to process the request and still create a valid signature.

Consider a scenario where two signature authenticator applications exist on an authenticator, SG1 that accepts exactly one data field and SG2 that accepts two data fields. Now assume that a user attempts a transaction signature validation for a business application that requires two data fields, but mistakenly selects the authenticator application that is accepting only one data field. The signature validation can still be successful, because it uses SG1 to successfully process the request (ignoring the second data field).

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed. The data field handling when performing a signature validation was improved, any authenticator application that cannot process as many data fields as required by the request will be ignored.

Description: In environments with multiple domains, a delegated administrator with an administrative scope across multiple domains can receive an error message when attempting to reset the activation of a Mobile Authenticator Studio authenticator that is assigned to a user. A global administrator can reset the respective activation without any problems.

Affects: OneSpan Authentication Server Appliance 3.21–3.25

Status: This issue has been fixed.

Description: The audit logs in the Configuration Tool (Monitoring > Audit logs) are not displayed in the (configured) local time.

Status: This issue has been fixed.

Status: This issue has been fixed. The affected library was updated.

Status: This issue has been fixed.

Description: Some security-related issues with OneSpan Authentication Server Administration Web Interface were discovered:

• All logon failures return the same error result, thus disclosing information about the state of the built-in sysadmin user account.

• Under some circumstances, Administration Web Interface can be used to redirect to a different site.

Status: This issue has been fixed.

Status: This issue has been fixed.

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server Appliance 3.12 and later

Status: This issue has been fixed for XML reports in OneSpan Authentication Server Appliance 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.

Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.

Affects: OneSpan Authentication Server Appliance 3.21 and later

Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.

Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.

This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.

Affects: OneSpan Authentication Server Appliance 3.21 and later

Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.

Description:  When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server Appliance at shorter intervals.

Affects: OneSpan Authentication Server Appliance 3.6 and later

Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.

Description: OneSpan Authentication Server Appliance allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified. If you want to edit the second ports, contact Support.

Affects: OneSpan Authentication Server Appliance 3.5 and later

Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, contact Support.

Description: Deployments of OneSpan Authentication Server Appliance with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server Appliance fails.

Affects: OneSpan Authentication Server Appliance 3.6 and later

Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.

Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.

Affects: All platforms.

Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.

Description: On systems that have a very high log production, you may experience problems when browsing logs with the built-in Audit Viewer. The reason is that OneSpan Authentication Server Appliance queries logs per day, and if there is a great amount of data, this can take longer than the 30-second web browser time-out.

Affects: OneSpan Authentication Server Appliance environments that produce a lot of data per day.

Status: No fix available.