ManageEngine named a Challenger in the 2023 Gartner ® Magic Quadrant ™ for Privileged Access Management. Read full report.

Access Manager Plus Release Notes

Version 4.3 (Build-4311)

Hotfix
02nd November 2023

Security Fixes

  • We have upgraded the json.jar component in the Access Manager Plus library to the latest version (json-20231013), thereby preventing potential vulnerabilities to Denial-of-Service (DoS) attacks (CVE-2023-507).
  • We have rectified an issue that allowed the unprivileged users to terminate the sessions of other users.
  • We have fixed a security vulnerability that granted unauthorized access to the users to start and stop the HTTPS Proxy Server.
  • We have also fixed a security vulnerability that permitted users with unauthorized privileges to playback recorded sessions of unshared connections.
  • An issue that led the users to join a private session launched by another user has been found and fixed.
  • We have resolved an issue that allowed standard users to view the users of unshared user groups.
  • An issue that exposed the passwords of the connections in plain text has been found and fixed.
  • We have found a vulnerability that allowed a user to edit the landing server configuration that was created by other users.
  • The following stored Cross-Site Scripting (XSS) issues have been found and fixed:
    • Addressed vulnerabilities related to the connection when hovering over it on both the Active and Completed pages within the Sessions tab, as well as the currently active session name within the Connections window.
    • Resolved vulnerabilities identified in the role properties located on the custom role edit page.
    • Prevented a potential vulnerability that could affect a user in an SQL session initiated by another user.
    • Addressed a vulnerability observed while playing back the SQL session recording under Recorded Connection in the 'Audit' tab.
    • Resolved vulnerability occurred in the Lock User dialog box of the Access Manager Plus web console.

Version 4.3 (Build-4310)

Minor
11th April 2023

Enhancements

SMTP - OAuth
Access Manager Plus now supports OAuth 2.0 authentication - an open-standard authorization for SMTP-based email communications to provide a secure channel for outbound emails from Access Manager Plus. Users can configure Microsoft Exchange Online as the authorization mail server through which Access Manager Plus sends email notifications. Post-mail-server configuration, Access Manager Plus validates the connection with Microsoft Exchange Online using the Tenant ID, Client ID, and Client Secret value taken from the Microsoft Azure portal. This validation eliminates the need for users to provide Access Manager Plus credentials to authenticate the notification emails.

Navigate to 'Product Administration >> Server Settings >> Mail Server' to configure OAuth2.0 authentication for all emails sent from Access Manager Plus.

Security Notification
The Access Manager Plus web console will display an in-product notification after each security release reminding the administrators to upgrade the product.

Bug Fix

Previously, all Access Manager Plus installations had the same password for the bundled PostgreSQL database. From now on, a unique database password will be generated for each Access Manager Plus installation to bolster its security.

Version 4.3 (Build-4309)

Hotfix
29th December 2022

Security Fix

A SQL injection vulnerability (CVE-2022-47523) found in our internal framework, which, if unattended, would have allowed the Access Manager Plus users to access the backend database, has been fixed.

Version 4.3 (Build-4308)

Hotfix
07th November 2022

We have upgraded a third-party library in Access Manager Plus.

Version 4.3 (Build-4307)

Hotfix
28th October 2022

Some bug fixes and enhancements have been done.

Version 4.3 (Build-4306)

Hotfix
23rd October 2022

Upgrade

The Apache Commons Text jar has been upgraded from version 1.8 to 1.10.0.

Security Fix

We have fixed a few SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) that appeared due to improper user input validation.

Bug Fixes

  • Earlier, the Search function failed to work when multiple text filters were added. This issue has been fixed.
  • Earlier, when a new user was added manually or imported into Access Manager Plus, all existing connections in the Access Manager Plus instance, including private connections that were not marked as 'Shared Connection', were visible to them. This issue has been fixed.

Version 4.3 (Build-4305)

Hotfix
10th September 2022

Security Fix

Several SQL injection vulnerabilities (CVE-2022-40300) that appeared in the Search operation due to improper user input validation have been fixed.

Version 4.3 (Build-4304)

Minor
27th July 2022

Enhancements

  • The 'General Settings' section under 'Admin >> Server Settings' now includes a new category called 'Password Reset', which provides the below two options:
    1. Administrators can require users to provide a reason while changing the password of a connection.
    2. Administrators can allow users to reset the connection password without providing a valid ticket ID when the ticketing system integration is enabled.
  • We have enhanced our security checks against Path Traversal, Local File Inclusion, Stored XSS, Reflected XSS, and DOM XSS vulnerabilities.

Product Behavior Change

As of this version, we are officially discontinuing support for Microsoft NTLM Single Sign-on (SSO) as an authentication method in Access Manager Plus. Though NTLM SSO may function in older versions of Access Manager Plus, we highly recommend switching to alternative authentication methods such as SAML SSO that we will continue to support.

Version 4.3 (Build-4303)

Hotfix
24th June 2022

Security Fix

  • A remote code execution vulnerability (CVE-2022-35405) that allowed an adversary to exploit the host via XML-RPC has been fixed.
  • An authentication bypass vulnerability (CVE-2022-35404) that allowed an adversary to create arbitrary directories and ample small-sized files in the Access Manager Plus server has been fixed.

Version 4.3 (Build-4302)

Hotfix
13th April 2022

Security Fix

An authentication bypass vulnerability (CVE-2022-29081), reported by Evan Grant and affecting ManageEngine Access Manager Plus versions up to 4301, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:

  1. Restart the service.
  2. Apply server certificates.
  3. Access the dashboard details.
  4. Get existing license details.
  5. Apply new license to the product.
  6. Fetch event logs.
  7. Set up synchronization schedules.

Version 4.3 (Build-4301)

Hotfix
2nd April 2022

Upgrade

Apache Log4j has been upgraded from version 1.2.8 to 2.17.2.

Bug Fix

From build 4300, users could not launch RDP connections if the 'Reason' field contained special characters, such as '#', in it.

Version 4.3 (Build-4300)

Major
4th March 2022

Feature

HTTPS Connection:
Access Manager Plus now supports adding HTTPS-based web links as a connection type. From now on, admins/users can launch secure HTTPS-based connections to local web pages or websites in demilitarized zones and access them directly from the Access Manager Plus interface, wherein Access Manager Plus acts like a proxy server. Additionally, the connection status and details are recorded as the connection audit.

Enhancements

  • Users can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
  • The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and improve overall security.
  • The PostgreSQL server has been upgraded from version 9.5.21 to 10.18.
  • The Apache Tomcat server has been upgraded from version 8.5.32 to 9.0.54.
  • Access Manager Plus has now migrated to the OpenJDK platform, version 1.8 .0_252.
  • In addition to supporting the JTDS JDBC driver to connect to the SQL server, Access Manager Plus now supports the Microsoft JDBC driver, version 8.4.1.
  • We have implemented a patch integrity verification, which will henceforth require importing an SSL certificate (available as a downloadable file) whenever the product is upgraded using the PPM file. It is only a one-time operation.

Behavior Changes

  • The API handling code which earlier responded to the V1 API format of ServiceDesk Plus On- Premises and ServiceDesk Plus Cloud will henceforth respond to their V3 API format.
  • The Authentication mechanism of ServiceDesk Plus Cloud has been updated from the older Authtoken based method to OAuth 2.0. In addition, from now on, it is possible to validate entries in the ticketing system columns against the entries in Access Manager Plus to check for any mismatches. Earlier, it was possible to check the entries in Access Manager Plus alone.

Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations in the form of screenshots for reference purposes.

Security Fix

From Access Manager Plus build 4202 onwards, standard users could delete saved session recording files, which is an admin-only operation. This issue has been fixed now.

Version 4.2 (Build-4203)

Hotfix
4th December 2021

Security Fix

An authentication bypass vulnerability (CVE-2021-44676) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.

Version 4.2 (Build-4202)

Minor
30th September 2021

Bug Fixes

  • Earlier, users were unable to access the 'Start' menu and the 'Taskbar' within a tab where a remote RDP session was in progress. This issue is fixed now.
  • Earlier, users from the 'Excluded Users' list could not perform any operation from the 'Actions' drop-down for selected connections in the UI. This issue is fixed now.

Security Fixes

  • Earlier, users, other than the connection owner were able to modify the configuration of connections that were locked using the access control settings via RestAPI URLs. This issue has been fixed now.
  • Users exempted from the access control workflow were able to newly configure, modify, and deactivate the access control settings of the connections owned by other users, using RestAPI URLs. This issue has been fixed.
  • Earlier, standard users who did not have the privilege to discover connections were able to initiate discovery tasks and import connections, view, add and delete discovery profiles using RestAPI URLs. This issue is fixed now.

Version 4.2 (Build-4201)

Minor
30th June 2021

Bug Fixes

  • Users assigned with a custom user role were unable to initiate remote sessions from Access Manager Plus. This issue has been fixed now.
  • Previously, when the type of a shared connection, whose password was 'In Use', was changed as 'owned' during an active remote session, the status of the access request still showed as 'In Use'. From now on, the modified status of the access request will be properly shown as 'Request'.
  • Previously, the AD users, who were a part of an AD group already excluded from access control requests, imported into Access Manager Plus, were not automatically excluded from access control after the AD user sync. This issue has been fixed now.
  • Earlier, the character limitation of the 'reason for password retrieval' field that appears under the 'Connections' tab was 100, which has now been increased to 2500.
  • Previously, administrators and custom users assigned with the 'Create Custom Roles' user role could not access the approval notifications for adding and editing new roles from the 'Notification' icon. This issue is fixed now.
  • Previously, the SQL and VNC connection type users were able to view the 'Transfer Files' option under the 'Connections' tab. From build 4201 onwards, the 'Transfer Files' option will not be available for these users as it does not apply to their user roles.
  • Previously, connection owners were able to change the 'In Use' passwords of connections during active remote sessions. This issue has been resolved.
  • The non-functional chat window used by session collaborators in SQL and SSH remote sessions has been made functional now.

Version 4.2 (Build-4200)

Major
31st May 2021

Enhancement

Customizable Access Control Settings
From build 4200 onwards, Access Manager Plus allows users to apply customized configuration settings for the connection access control feature. This enhancement comes with options that help users efficiently manage the request-release workflow for the connections.

A few of the customizable options that can be availed include:

  • Setting up of auto-approval of connection requests during specified periods.
  • Excluding certain users/user groups from going through the request-release workflow for the selected connections.
  • Sending timely reminders to the connection owners to approve access requests.
  • Customizing miscellaneous settings such as mandating users to provide a valid reason for password retrieval.
  • Providing grace time for users to continue the connection access before the forceful check back in of passwords.

Version 4.1 (Build-4101)

Minor
8th January 2021

Enhancements

  • This release comes with improved security level checks for Cross-Site Request Forgery(CSRF) and HTTP request methods.

Version 4.1 (Build-4100)

Major
3rd July 2020

Enhancements

  • Earlier, all connections, added to Access Manager Plus, were shared connections only, by default, and were publicly accessible by all users. Now, users have the choice of making their connections either as 'Shared' or 'Owned', where the 'Owned' connections are private and accessible by the connection owners only. Options are available under 'General Settings', for administrators to globally enable/disable session recording for Owned connections, and transform Access Manager Plus to Shared/Owned mode, at their discretion. Additionally, the bulk 'Edit Connections' option has been added, which allows the connection owners alone to enable/disable the 'Shared connection' and 'Access Control' options.

  • The PostgreSQL server used in Access Manager Plus has been upgraded to version 9.5.21.