Verify Privilege Vault 11.6.000004 Release Notes
On-premises: February 02, 2024
Important security release—we recommend all affected Verify Privilege Vault On-Premise customers upgrade as soon as possible. This update addresses a security vulnerability recently discovered during internal testing and impacts all versions of Verify Privilege Vault. A SQL Injection vulnerability was found in the REST API. Hashes for upgrade have been updated for this change. This issue is rated HIGH with a score of 7.2 on the Common Vulnerability Scoring System (CVSS): CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Notification: Due to Java’s security flaws and availability of the Verify Privilege Vault SDK, we will no longer support the Verify Privilege Vault Java API.
If you are using the Verify Privilege Vault Java API, please consider transitioning to the Verify Privilege Vault SDK.
The Verify Privilege Vault SDK replaces and improves upon the existing functionality of the Java API and .NET/Application API.
Users can leverage this SDK to tokenize credentials in scripts and configuration files for .NET web applications.
The SDK can also call for a REST Web Services authentication token for added functionality.
Finally, the SDK has a local encrypted cache for every location it is installed in to allow for quicker transit times and resiliency in case communication with Verify Privilege Vault is lost.
Please contact support if you have any questions.
If you are using the Verify Privilege Vault Java API, please consider transitioning to the Verify Privilege Vault SDK.
The Verify Privilege Vault SDK replaces and improves upon the existing functionality of the Java API and .NET/Application API.
Users can leverage this SDK to tokenize credentials in scripts and configuration files for .NET web applications.
The SDK can also call for a REST Web Services authentication token for added functionality.
Finally, the SDK has a local encrypted cache for every location it is installed in to allow for quicker transit times and resiliency in case communication with Verify Privilege Vault is lost.
Please contact support if you have any questions.
This vulnerability has been patched in Verify Privilege Vault Cloud, so there is no additional update to address it.
The minimum required engine version is 8.3.0.0.
Step Upgrade Required (11.5.2). Versions prior to 11.5.2 need to first upgrade to 11.5.2. The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.6 upgrade. But if offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.2 and then do the upgrade to 11.6.4.
For instructions on upgrading in general, go to Upgrading.