Version 3.25 (January 2024)

OneSpan Authentication Server 3.25 supports the following operating systems:

Microsoft Windows

• Windows Server 2022

• Windows Server 2019

• Windows Server 2016

Linux

• CentOS 7, 64-bit (version 7.8 and later)

• Red Hat Enterprise Linux (RHEL) 8, 64-bit

• Red Hat Enterprise Linux (RHEL) 7, 64-bit (version 7.8 and later)

• Ubuntu Server 20.04 LTS, 64-bit

• Ubuntu Server 18.04 LTS, 64-bit

• MariaDB 10.11.5 (included as embedded database) [NEW]

  If you install the embedded MariaDB database, the DBeaver 23.3.0 database tool is also installed.

  OneSpan Authentication Server is fully compatible with data-at-rest encryption as provided by MariaDB.

• Oracle Database 19c

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Oracle Database to protect data at rest (tablespace encryption).

• Microsoft SQL Server

  • Microsoft SQL Server 2019

  • Microsoft SQL Server 2017

  • Microsoft SQL Server 2016

  • Microsoft SQL Server 2014

  OneSpan Authentication Server supports the SQLServer AlwaysOn Availability Groups feature for Microsoft SQL Server versions 2019, 2017, 2016, and 2014.

  OneSpan Authentication Server is fully compatible with Transparent Data Encryption (TDE) as provided by Microsoft SQL Server to protect data at rest.

  OneSpan Authentication Server supports the following ODBC drivers:

  • Microsoft ODBC Driver 17 for SQL Server

  • Microsoft ODBC Driver 13.1 for SQL Server

  • Microsoft ODBC Driver 11 for SQL Server

The Administration Web Interface supports the following browsers:

• Google Chrome

• Mozilla Firefox

• Microsoft Edge

The Administration Web Interface supports all browser versions currently supported by the respective vendors.

The Administration Web Interface can be run on these web application servers (based on the respective JRE):

• Apache Tomcat 9.0–9.0.82 (included) [NEW]

  The included version of Apache Tomcat was updated to fix a critical security vulnerability (CVE-2023-28709).

  • Oracle Server Java Runtime Environment 11

  • Azul Zulu 11 (included)

• Open Liberty (tested with 23.0.0.3-full-java11-openj9)

• WebSphere Liberty (tested with 23.0.0.2-full-java11-openj9-ubi)

The OneSpan Authentication Server product CD contains a version of Web Administration Service adapted for Open Liberty and WebSphere Liberty for manual deployment.

Software libraries

Utilities

OneSpan Authentication Server supports direct upgrades from 3.18 or 3.24 to version 3.25 on the supported operating systems.

OneSpan Authentication Server now fully supports TLSv1.3. As a consequence, the provided cipher suite security levels have been adapted:

• TLSv1.3 is now supported on all cipher suite security levels.

• The following TLSv1.3 cipher suites were added:

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_GCM_SHA256

• TLSv1 and TLSv1.1 are only supported on security level MEDIUM, LOW, and CUSTOM anymore.

• SSL is no longer supported.

By default, OneSpan Authentication Server audit messages are written across multiple lines in the Linux system logger (syslog) for better readability if applicable. For instance, if an audit message includes several output details, each output field is written to a new line.

You can now determine the syslog format with the Allow-Newlines option in the OneSpan Authentication Server configuration file. By default, this value is not set in the configuration file (audit messages are wrapped across multiple lines).

Description: The SSH implementation used by OneSpan Authentication Server Appliance allows remote attackers to bypass integrity checks so that a client and server can end up with a connection for which some security features have been downgraded or disabled. This issue is referred to as Terrapin attack.

For more information, refer to https://nvd.nist.gov/vuln/detail/CVE-2023-48795.

Status: This issue has been fixed.

Description: A number of vulnerabilities in the Apache Struts framework can lead to remote code execution and denial-of-service issues:

• CVE-2023-50164:

  • https://cwiki.apache.org/confluence/display/WW/S2-066

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50164

• CVE-2023-41835

  • https://cwiki.apache.org/confluence/display/WW/S2-065

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41835

• CVE-2023-34396

  • https://cwiki.apache.org/confluence/display/WW/S2-064

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34396

• CVE-2023-34149

  • https://cwiki.apache.org/confluence/display/WW/S2-063

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34149

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. Apache Struts has been upgraded to version 2.5.33.

Description: The default Apache Tomcat HTTP error pages for the Web Administration Service have been replaced with static error pages to mask information about the web server.

Description: The Delete Audit Data wizard and the Delete Finished Tasks wizard allow you to delete old audit data and finished tasks. In the first step of each wizard you specify the maximum age of data that you want to keep. The descriptive UI text about the data that is being kept can be misleading for some readers.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. The respective UI text has been revised to be less ambiguous.

Description: In environments that use a hardware security module (HSM), an HSM key rotation can lead to authentication failures. The root cause are some HSM-related operations that use an incorrect storage key to decrypt BLOB data. During an HSM key rotation, this leads to authentication failures.

Affects: OneSpan Authentication Server 3.11–3.24 (using HSM)

Status: This issue has been fixed. The affected operations have been fixed to use the correct storage key.

Description: The Message Delivery Component (MDC) server uses separate connection pools to each gateway node to handle multiple message deliveries concurrently. If MDC cannot send an email message because the email address that is specified in the user account is invalid, it blocks the connection pool of the respective SMTP gateway node for 10 seconds. In that case, MDC returns an incorrect status that the connection is still in use.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. The connection logic has been improved, and a different status is now returned by MDC in case of invalid email addresses.

Description: Under some circumstances, the OneSpan Authentication Server service is falsely identified as malware and blocked by certain antivirus applications.

Status: Third-party antivirus and antimalware software can interfere with OneSpan Authentication Server and prevent it from working correctly. To prevent issues, OneSpan Authentication Server should be added to the exclusion list of the interfering antivirus software.

The documentation was extended to include respective information.

Description: When attempting to create a new storage key with a hardware security module (HSM), Web Administration Service cannot complete the operation and displays an "Invalid key label" message.

Affects: OneSpan Authentication Server with HSM

Status: This issue has been fixed.

Description: The Message Delivery Component (MDC) service uses cURL for data transfer operations. In some cases when an error occurs, e.g. if the used certificate is invalid, the log information is too vague and suppresses useful information about the root cause of the error.

Status: This issue has been fixed. The handling of cURL-related messages has been improved to make error investigation easier without revealing security-relevant information.

Description: The default value handling of the Static Password > Not Based on User ID policy setting is incorrect. If you create a new policy based on an existing policy where Static Password > Not Based on User ID is not set, and set the policy setting to Default in the new policy, the effective policy will also be Default, which is invalid.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. If the Static Password > Not Based on User ID policy setting is set neither in the applied policy nor in any of its base policies, OneSpan Authentication Server uses No as the built-in default value.

Description: Some operations, e.g. those that include authenticator searches, query the pending operation data from the database even if maker–checker authorization is disabled. Although the vdsPendingOperation table is empty in that case, it is unnecessarily included in the underlying database operations, which negatively impacts the server performance.

Affects: OneSpan Authentication Server 3.18–3.24

Status: This issue has been fixed. The affected operations have been improved to exclude pending operation data if maker–checker authorization is disabled.

Description: When you attempt to upgrade OneSpan Authentication Server on Red Hat Enterprise Linux 7.9 using the upgrade script, the platform detection logic does not work as expected. The upgrade script terminates with a "Cannot compare system major version! This operating system is not supported." message.

Affects: OneSpan Authentication Server 3.23–3.24 (on Red Hat Enterprise Linux)

Status: This issue has been fixed. The platform detection logic has been improved for all supported distributions. Furthermore, the installation script does no longer depend or require the Linux Standard Base (LSB) packages to be installed.

Description: OneSpan Authentication Server audit messages of type Warning and Error are automatically added to the Windows application event log with event ID 0. When you view the details for such event entries, the information is not correctly displayed and includes a "The description for Event ID 0 from source Identikey Server {Application} cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer." message.

Affects: OneSpan Authentication Server 3.19–3.24 (on Windows)

Status: This issue has been fixed. The event entries are now properly displayed. Furthermore, new events are logged with event ID 256.

The possibility to use Active Directory as the data store has been completely removed. You can no longer select this option for new installations or upgrade existing deployments with Active Directory as data store!

You will still be able to use Active Directory for other supported purposes, such as back-end authentication, or password and data synchronization.

If you still use AD as data store, you need to upgrade to OneSpan Authentication Server 3.24 and use Data Migration Tool 3.24 to migrate to an ODBC-based data store, before you can upgrade to OneSpan Authentication Server 3.25!