ManageEngine named a Challenger in the 2023 Gartner ® Magic Quadrant ™ for Privileged Access Management. Read full report.
Security Fix
A vulnerability (CVE-2023-48795) in OpenSSH, which could have potentially led to unauthorized access and data manipulation, has been mitigated through the update of third-party jars.
Note: Access Manager Plus users are strongly recommended to verify and update the installations of OpenSSH servers, OpenSSH clients, and SSH tools such as PuTTY to the latest versions for enhanced security.
Enhancement
We have introduced a new custom role operation named 'View Connections' in the 'Connection Management' section. Creating a user role with this operation exclusively permits assigned users to utilize shared connections from the 'Connections' tab, restricting the modification rights to the shared connections and preventing the creation of new connections.
Security Fix
The security issue (CVE-2023-6105) that could have led to the inadvertent exposure of sensitive information to low-privileged OS users with access to the host through improperly configured installation directory permissions has been discovered and resolved.
Security Fixes
Enhancements
SMTP - OAuth
Access Manager Plus now supports OAuth 2.0 authentication - an open-standard authorization for
SMTP-based email communications to provide a secure channel for outbound emails from Access Manager
Plus. Users can configure Microsoft Exchange Online as the authorization mail server through which
Access Manager Plus sends email notifications. Post-mail-server configuration, Access Manager Plus
validates the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client
Secret value taken from the Microsoft Azure portal. This validation eliminates the need for users to
provide Access Manager Plus credentials to authenticate the notification emails.
Navigate to 'Product Administration >> Server Settings >> Mail Server' to configure OAuth2.0 authentication for all emails sent from Access Manager Plus.
Security Notification
The Access Manager Plus web console will display an in-product notification after each security release
reminding the administrators to upgrade the product.
Bug Fix
Previously, all Access Manager Plus installations had the same password for the bundled PostgreSQL database. From now on, a unique database password will be generated(CVE-2023-2291) for each Access Manager Plus installation to bolster its security.
Security Fix
A SQL injection vulnerability (CVE-2022-47523) found in our internal framework, which, if unattended, would have allowed the Access Manager Plus users to access the backend database, has been fixed.
We have upgraded a third-party library in Access Manager Plus.
Some bug fixes and enhancements have been done.
Upgrade
The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.
Security Fix
We have fixed a few SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) that appeared due to improper user input validation.
Bug Fixes
Security Fix
Several SQL injection vulnerabilities (CVE-2022-40300) that appeared in the Search operation due to improper user input validation have been fixed.
Enhancements
Product Behavior Change
As of this version, we are officially discontinuing support for Microsoft NTLM Single Sign-on (SSO) as an authentication method in Access Manager Plus. Though NTLM SSO may function in older versions of Access Manager Plus, we highly recommend switching to alternative authentication methods such as SAML SSO that we will continue to support.
Security Fix
Security Fix
An authentication bypass vulnerability (CVE-2022-29081), reported by Evan Grant and affecting ManageEngine Access Manager Plus versions up to 4301, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:
Upgrade
Apache Log4j has been upgraded from version 1.2.8 to 2.17.2.
Bug Fix
From build 4300, users could not launch RDP connections if the 'Reason' field contained special characters, such as '#', in it.
Feature
HTTPS Connection:
Access Manager Plus now supports adding HTTPS-based web links as a connection type. From now on,
admins/users can launch secure HTTPS-based connections to local web pages or websites in demilitarized
zones and access them directly from the Access Manager Plus interface, wherein Access Manager Plus acts
like a proxy server. Additionally, the connection status and details are recorded as the connection
audit.
Enhancements
Behavior Changes
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations in the form of screenshots for reference purposes.
Security Fix
From Access Manager Plus build 4202 onwards, standard users could delete saved session recording files, which is an admin-only operation. This issue has been fixed now.
Security Fix
An authentication bypass vulnerability (CVE-2021-44676) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.
Bug Fixes
Security Fixes
Bug Fixes
Enhancement
Customizable Access Control Settings
From build 4200 onwards, Access Manager Plus allows users to apply customized configuration settings for
the connection access control feature. This enhancement comes with options that help users efficiently
manage the request-release workflow for the connections.
A few of the customizable options that can be availed include:
Enhancements
This release comes with improved security level checks for Cross-Site Request Forgery(CSRF) and HTTP request methods.
Enhancements
Earlier, all connections, added to Access Manager Plus, were shared connections only, by default, and were publicly accessible by all users. Now, users have the choice of making their connections either as 'Shared' or 'Owned', where the 'Owned' connections are private and accessible by the connection owners only. Options are available under 'General Settings', for administrators to globally enable/disable session recording for Owned connections, and transform Access Manager Plus to Shared/Owned mode, at their discretion. Additionally, the bulk 'Edit Connections' option has been added, which allows the connection owners alone to enable/disable the 'Shared connection' and 'Access Control' options.
The PostgreSQL server used in Access Manager Plus has been upgraded to version 9.5.21.