Verify Privilege Vault 11.6.000026 Release Notes

Critical security release—We require all Verify Privilege Vault installations to be updated to this release immediately or at your earliest convenience.
This release mitigates the vulnerability discussed in the Verify Privilege Vault 11.7.000001 Release Notes, so the two release notes are very similar. This is an IBM-only release.

Release Date (On-premises): April 13, 2024

We became aware of a critical vulnerability in the SOAP API which could allow an attacker to bypass authentication. The REST API was not impacted.

This update addresses the above security vulnerability and impacts all versions of Verify Privilege Vault. Hashes for the upgrade have been updated for this change.

Details are available on the Delinea Trust Center. Please register and subscribe to get future updates directly to your inbox.

The direct link to the topic is Verify Privilege Vault Vulnerability.

Remediation

If your Verify Privilege Vault instance is exposed to the public internet, you are at significant risk and you should perform these steps immediately.

  1. Use the Remediation Guide to modify the Verify Privilege Vault implementation to mitigate the vulnerability

  2. As a precautionary measure rotate your passwords often until mitigation is in place.

  3. Use the Remediation Guide to examine audit histories for any evidence of exploitation

  4. Use the 11.6.26 release to patch all systems.

The support team is available to guide your team through these steps and answer any questions from you or your team.

Delinea Platform and Verify Privilege Vault Cloud

Delinea Platform and Verify Privilege Vault Cloud have been patched and are no longer vulnerable.

Step Upgrade Process

  • A Step Upgrade is required from versions prior to 11.5.2 (11.5.000002) before you can upgrade to 11.7.6 (11.7.000006).

  • The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.7.000006 upgrade.

  • If offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.000002(or 11.5.000003) and then do the upgrade to 11.7.000006.

For instructions on upgrading in general, go to Verify Privilege Vault Upgrade Overview

If You Can’t Upgrade to 11.6.26

If you are on an older version of Verify Privilege Vault and you cannot upgrade to the latest version, please contact our support team for assistance and guidance.