Verify Privilege Vault 11.6.000026 GA Release Notes

On-premises: April 16, 2024

We require all Verify Privilege Vault installations to be updated to this release immediately or at your earliest convenience.

We became aware of a critical vulnerability in the SOAP API which could allow an attacker to bypass authentication. The REST API was not impacted.

This update addresses the above security vulnerability and impacts all versions of Verify Privilege Vault. Hashes for the upgrade have been updated for this change.

Details are available in the Verify Privilege Vault SOAP vulnerability remediation support note.

Remediation

• If your Verify Privilege Vault instance is exposed to the public internet, you are at significant risk. Contact the support team to guide your team through the remediation steps and answer any questions from you or your team.

• As a precautionary measure rotate your passwords often until mitigation is in place.

• As soon as the patch is available, patch all systems.

Step Upgrade Process

• A Step Upgrade is required from versions prior to 11.5.2 (11.5.000002) before you can upgrade to 11.6.000026.

• The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.6.000026 upgrade.

• If offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, “Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted.” The remedy is to first upgrade to 11.5.000002(or 11.5.000003) and then do the upgrade to 11.6.000026.

For instructions on upgrading in general, seeUpgrading Verify Privilege Vault.

If you are on an older version of Verify Privilege Vault and you cannot upgrade to the latest version, please contact our support team for assistance and guidance.