Verify Privilege Vault: 11.5.000003 Release Notes

On-Premises: April 23, 2024

Critical security release — We require all Verify Privilege Vault 11.5.000002 installations to be updated to this release or 11.6.000026 immediately or at your earliest convenience

We became aware of a critical vulnerability in the SOAP API which could allow an attacker to bypass authentication. The REST API was not impacted.

This update addresses the above security vulnerability and impacts all versions of Verify Privilege Vault. Hashes for upgrade have been updated for this change.

Details are available in the Verify Privilege Vault SOAP vulnerability remediation support note.

Remediation

• If your Verify Privilege Vault instance is exposed to the public internet, you are at significant risk. Contact the support team to guide your team through the remediation steps and answer any questions from you or your team.

• As a precautionary measure rotate your passwords often until mitigation is in place.

• As soon as the patch is available, patch all systems.

Step Upgrade Process

• A Step Upgrade is required from versions prior to 11.5.000002 before you can upgrade to 11.5.000003 or 11.6.000026.

• The automatic downloads in the product will get the right versions for the step upgrade and then allow the upgrade.

• If offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, “Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted.” The remedy is to first upgrade to 11.5.000002 and then upgrade to 11.5.000003 or 11.6.000026.

For instructions on upgrading in general, go to Upgrading.

If you are on an older version of Verify Privilege Vault and you cannot upgrade to the latest version, please contact our support team for assistance and guidance.