Read the 2022 Gartner ® Magic Quadrant ™ for Privileged Access Management. Download a complimentary copy.
Enhancement
PAM360 now supports OAuth 2.0 authentication for SMTP-based email communications using Microsoft Exchange Online to provide a secure channel for the outbound emails from PAM360. Users can configure Microsoft Exchange Online as the mail server through which PAM360 sends email notifications. During the setup, PAM360 verifies the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client Secret value taken from the Microsoft Azure portal. This mechanism eliminates the need for users to provide account credentials to authenticate the notification emails. Users can choose Microsoft Exchange Online under 'Admin >> Settings >> Mail Server Settings' to activate OAuth 2.0 authentication for all emails sent from PAM360.
Security Fix
A SQL injection vulnerability (CVE-2022-47523) in our internal framework, which would have allowed all PAM360 users to access the backend database, has been addressed and fixed.
New Features
Enhancements
Upgrade
The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and bolster overall security.
Bug Fixes
A third-party library has been upgraded in PAM360.
Some bug fixes and enhancements have been done.
Upgrade
The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.
Security Fixes
Bug Fix
Earlier, the Search function failed to work when multiple text filters were added. This issue has been fixed.
Behavior Change
PAM360 will no longer support both the 32 and 64-bit versions of the C++ agent for Windows and Windows Domain systems and the C Agent for Linux. The C and C++ agents will still be functional in the older versions of PAM360 past this date. But, we highly recommend using the C# agent for Windows and Windows Domain machines and the Go agent for Linux machines, as they come with additional features, such as password reset listeners, dynamic account filtering, and self-service privilege elevation in Windows. Refer to the forum post to learn more about the end of support announcement.
Enhancements
Bug Fixes
New Feature
Intending to provide uninterrupted access to passwords, we have introduced another functionality - the Read-Only (RO) server for the PostgreSQL database. Unlike the concept of High Availability, where there will be one Primary server and one Secondary server, the Read-Only server can be configured in multiple. The Read-Only servers function as mirror servers, synchronizing all of the Primary server's operations. In the event of the Primary server failure, administrators can convert any Read-Only server into the Primary server and reconfigure all other Read-Only servers to point to the new Primary server. Read-Only Servers can be configured from 'Admin >> Configurations >> Read-Only Server.'
New Feature
PAM360 Remote Connect - a Native Desktop Client for Remote Access
Introducing PAM360 Remote Connect—an independent desktop client for Windows, designed to
facilitate direct remote access to Windows and SSH-based target resources without the need for multiple
remote clients or web browsers. PAM360 Remote Connect harnesses the ability of Windows' native Remote
Desktop client and the SSH Putty client to launch RDP and SSH-based connections from a centralized
console. The lightweight desktop client directly leverages the PAM360 web application's privilege access
governance to regulate remote access to the critical assets in your environment. It offers enhanced ease
of use and a superior user experience with its faster and smoother RDP and SSH-based remote connections.
Besides, it has auditing capabilities—the session audit trails are recorded in PAM360's web
application. PAM360 Remote Connect is compatible with PAM360 build 5600 and above. To learn more and to
download PAM360 Remote Connect, click here.
Bug Fixes
From build 5500 onwards, administrators were unable to delete a user profile if the user had created any type of resource discovery task. Also, if the user owned a discovery schedule, administrators were unable to transfer the schedule ownership to another user from 'Discovery >> Schedule.'
Security Fix
We identified several SQL injection vulnerabilities in the Search and Resource Group export operations that were caused by improper user input validation. These issues have been fixed.
Enhancement
Integration with Entrust nShield Hardware Security Module (HSM)
PAM360 now offers a new data encryption method—Entrust nShield HSM. Through this integration,
users can switch from PAM360's native encryption method to Entrust nShield's hardware-based data
encryption for the privileged identities and the personal passwords stored in PAM360. Users can secure
their data encryption key within the HSM to safeguard it locally in their environment.
Bug Fixes
Enhancements
New Feature
Folders
We have introduced a new feature - Folders in PAM360, which allows the users to organize the resource
accounts stored in PAM360 under various custom folders. The 'Folders' option is available for the
Resources and Connections tabs. Administrators can enable or disable the Folders' option from 'Admin
>> Settings >> General Settings >> Miscellaneous'. This system of organizing the
accounts based on personal preferences will allow users to manage them effortlessly.
Bug Fix
In Linux, when users tried to discover accounts using a root user account when direct login access is disabled, the account discovery failed. This issue has been fixed.
New Feature
Integrating with a new Ticketing System: BMC Helix Remedyforce
PAM360 now integrates with the BMC Helix Remedyforce. This integration ensures automatic validation of
service requests related to privileged access. Through this integration, administrators can mandate
users to provide valid ticket IDs to gain authorized access to privileged passwords. The integration
helps in granting approvals to access requests through automatic validation of the corresponding service
requests in the ticketing system.
Enhancement
Two new fields - PAM360 User Full Name and PAM360 User Email Id have been added to the 'Column Name' drop-down under 'Ticketing System >> Advanced configurations'. This will allow administrators to configure the ticketing system to validate tickets based on User Full Name and Email Id.
Behavior Change
Bug Fix
From build 5500, elevation of applications using Self-Service Privilege Elevation failed due to an invalid response from the PAM360 server. The issue has been fixed.
Enhancements
The Connection tab comes with the following improvements:
Security Fixes
New Feature
PAM360 now supports creating schedules for automatically discovering new privileged accounts during Linux, Network Devices, and VMware discovery.
Enhancements
New Query Reports:
Bug Fix
From build 5400, administrators were unable to import users through AD. The issue has been fixed.
Security Fix
An authentication bypass vulnerability (CVE-2022-29081) affecting ManageEngine PAM360 builds from 4001 to 5400, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:
Enhancements
Upgrades
Bug Fixes
Behavior Change
The API handling code which earlier responded to the V1 API format of ServiceDesk Plus MSP will henceforth respond to their V3 API format.
New Feature
Integration with the Cortex XSOAR RPA Tool
ManageEngine PAM360 integrates with Cortex XSOAR, a Robotic Process Automation (RPA) tool that allows
users to build standardized responses through commands to facilitate the automation of software
processes. PAM360 provides various commands that cover a wide range of automation tasks to perform
operations, such as creating resources and accounts, fetching passwords, updating resource and account
details, wherein the commands can be combined to create a complete endpoint management workflow.
Enhancements
Behavior Change
Before the upgrade, if the 'Autofill' option was enabled in the user's browser, there is a chance for the browser data to get auto-populated in the 'VNC Passwords' field. Now, with the 5305 upgrade, all the VNC resource passwords will be added to an account called '_VNCACCOUNT_' under their respective resources.
Feature
Self-Service Privilege Elevation
Using the Self-Service Privilege Elevation feature, an administrator can allow a user to run a specific
application(s) with elevated privileges without sharing the privileged account passwords. With this
feature, it is possible to perform administrative functions on an endpoint without the need for the
administrators to share the account passwords. The passwordless strategy used to run applications with
elevated account privileges assures that only the intended administrative tasks are performed by a user
without entering administrator credentials.
Enhancements
Security Fix
A SQL injection vulnerability that allowed users to access the restricted tables in 'Query Reports' has been fixed.
Security Fix
An authentication bypass vulnerability (CVE-2021-44525) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.
Enhancement
Administrators can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
Enhancement
New Agents
This release comes with two new agents - C# agent for Windows/ Windows Domain and Go agent for Linux.
Henceforth, it will be possible to restrict user accounts that are added via agents (the new agents
only) during account discovery, using regex patterns.
Bug Fixes
New Features
Enhancements
Behavior Change
From now on, all certificates with unique serial numbers will be listed under the 'Certificates' tab. However, the existing users can manage their already added certificates from the History section, which has now been moved under the 'Column Chooser'.
Bug Fixes
Security Fixes
Enhancements
Behavior Changes
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you save a backup of the advanced configurations in the form of screenshots for reference.
Bug Fixes
Security Fixes
Enhancements
Bug Fixes
Security Fix
Enhancement
Security Fixes
Security Fix
New Features
Bug Fixes
New Features
Enhancements
Bug Fixes
Security Fixes
Security Fix
New Features
Enhancements
Bug Fixes
Security Fixes
Enhancement
New Features
Enhancement
Bug Fixes
Security Enhancement
Earlier, PostgreSQL data directories in Windows installations were entirely accessible to all locally authenticated users. Now, as a security practice, we have exerted the following measures, applicable for installations under the 'Program Files' directory:
New Features
Enhancements
Bug Fix
In PAM360 build 4000, while trying to integrate with ServiceDesk Plus, the "Invalid API key" error was encountered. This issue has been fixed in this build.