ManageEngine named a Challenger in the 2023 Gartner ® Magic Quadrant ™ for Privileged Access Management. Read full report.
We have introduced a new custom role operation named 'View Connections' in the 'Connection Management' section. Creating a user role with this operation exclusively permits assigned users to utilize shared connections from the 'Connections' tab, restricting the modification rights to the shared connections and preventing the creation of new connections.
The security issue (CVE-2023-6105) that could have led to the inadvertent exposure of sensitive information to low-privileged OS users with access to the host through improperly configured installation directory permissions has been discovered and resolved.
SMTP - OAuth
Access Manager Plus now supports OAuth 2.0 authentication - an open-standard authorization for SMTP-based email communications to provide a secure channel for outbound emails from Access Manager Plus. Users can configure Microsoft Exchange Online as the authorization mail server through which Access Manager Plus sends email notifications. Post-mail-server configuration, Access Manager Plus validates the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client Secret value taken from the Microsoft Azure portal. This validation eliminates the need for users to provide Access Manager Plus credentials to authenticate the notification emails.
Navigate to 'Product Administration >> Server Settings >> Mail Server' to configure OAuth2.0 authentication for all emails sent from Access Manager Plus.
The Access Manager Plus web console will display an in-product notification after each security release reminding the administrators to upgrade the product.
Previously, all Access Manager Plus installations had the same password for the bundled PostgreSQL database. From now on, a unique database password will be generated for each Access Manager Plus installation to bolster its security.
A SQL injection vulnerability (CVE-2022-47523) found in our internal framework, which, if unattended, would have allowed the Access Manager Plus users to access the backend database, has been fixed.
We have upgraded a third-party library in Access Manager Plus.
Some bug fixes and enhancements have been done.
The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.
We have fixed a few SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) that appeared due to improper user input validation.
Several SQL injection vulnerabilities (CVE-2022-40300) that appeared in the Search operation due to improper user input validation have been fixed.
Product Behavior Change
As of this version, we are officially discontinuing support for Microsoft NTLM Single Sign-on (SSO) as an authentication method in Access Manager Plus. Though NTLM SSO may function in older versions of Access Manager Plus, we highly recommend switching to alternative authentication methods such as SAML SSO that we will continue to support.
An authentication bypass vulnerability (CVE-2022-29081), reported by Evan Grant and affecting ManageEngine Access Manager Plus versions up to 4301, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:
Apache Log4j has been upgraded from version 1.2.8 to 2.17.2.
From build 4300, users could not launch RDP connections if the 'Reason' field contained special characters, such as '#', in it.
Access Manager Plus now supports adding HTTPS-based web links as a connection type. From now on, admins/users can launch secure HTTPS-based connections to local web pages or websites in demilitarized zones and access them directly from the Access Manager Plus interface, wherein Access Manager Plus acts like a proxy server. Additionally, the connection status and details are recorded as the connection audit.
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations in the form of screenshots for reference purposes.
From Access Manager Plus build 4202 onwards, standard users could delete saved session recording files, which is an admin-only operation. This issue has been fixed now.
An authentication bypass vulnerability (CVE-2021-44676) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.
Customizable Access Control Settings
From build 4200 onwards, Access Manager Plus allows users to apply customized configuration settings for the connection access control feature. This enhancement comes with options that help users efficiently manage the request-release workflow for the connections.
A few of the customizable options that can be availed include:
This release comes with improved security level checks for Cross-Site Request Forgery(CSRF) and HTTP request methods.
Earlier, all connections, added to Access Manager Plus, were shared connections only, by default, and were publicly accessible by all users. Now, users have the choice of making their connections either as 'Shared' or 'Owned', where the 'Owned' connections are private and accessible by the connection owners only. Options are available under 'General Settings', for administrators to globally enable/disable session recording for Owned connections, and transform Access Manager Plus to Shared/Owned mode, at their discretion. Additionally, the bulk 'Edit Connections' option has been added, which allows the connection owners alone to enable/disable the 'Shared connection' and 'Access Control' options.
The PostgreSQL server used in Access Manager Plus has been upgraded to version 9.5.21.