Access Manager Plus Release Notes

Version 4.3 (4303)

Hotfix
24th June 2022

Security Fix

  • A remote code execution vulnerability that allowed an adversary to exploit the host via XML-RPC has been fixed.
  • An authentication bypass vulnerability that allowed an adversary to create arbitrary directories and ample small-sized files in the Access Manager Plus server has been fixed.

Version 4.3 (4302)

Hotfix
13th April 2022

Security Fix

An authentication bypass vulnerability (CVE-2022-29081), reported by Evan Grant and affecting ManageEngine Access Manager Plus versions up to 4301, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:

  1. Restart the service.
  2. Apply server certificates.
  3. Access the dashboard details.
  4. Get existing license details.
  5. Apply new license to the product.
  6. Fetch event logs.
  7. Set up synchronization schedules.

Version 4.3 (4301)

Hotfix
2nd April 2022

Upgrade

Apache Log4j has been upgraded from version 1.2.8 to 2.17.2.

Bug Fix

From build 4300, users could not launch RDP connections if the 'Reason' field contained special characters, such as '#', in it.

Version 4.3 (4300)

Major
4th March 2022

Feature

HTTPS Connection:
Access Manager Plus now supports adding HTTPS-based web links as a connection type. From now on, admins/users can launch secure HTTPS-based connections to local web pages or websites in demilitarized zones and access them directly from the Access Manager Plus interface, wherein Access Manager Plus acts like a proxy server. Additionally, the connection status and details are recorded as the connection audit.

Enhancements

  • Users can now enable and set up a customizable welcome message once a session commences. In addition, they can enable the session recording status in the session window.
  • The internal security framework has been upgraded to the latest version to reduce the occurrence of vulnerabilities and improve overall security.
  • The PostgreSQL server has been upgraded from version 9.5.21 to 10.18.
  • The Apache Tomcat server has been upgraded from version 8.5.32 to 9.0.54.
  • Access Manager Plus has now migrated to the OpenJDK platform, version 1.8 .0_252.
  • In addition to supporting the JTDS JDBC driver to connect to the SQL server, Access Manager Plus now supports the Microsoft JDBC driver, version 8.4.1.
  • We have implemented a patch integrity verification, which will henceforth require importing an SSL certificate (available as a downloadable file) whenever the product is upgraded using the PPM file. It is only a one-time operation.

Behavior Changes

  • The API handling code which earlier responded to the V1 API format of ServiceDesk Plus On- Premises and ServiceDesk Plus Cloud will henceforth respond to their V3 API format.
  • The Authentication mechanism of ServiceDesk Plus Cloud has been updated from the older Authtoken based method to OAuth 2.0. In addition, from now on, it is possible to validate entries in the ticketing system columns against the entries in Access Manager Plus to check for any mismatches. Earlier, it was possible to check the entries in Access Manager Plus alone.

Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations in the form of screenshots for reference purposes.

Security Fix

From Access Manager Plus build 4202 onwards, standard users could delete saved session recording files, which is an admin-only operation. This issue has been fixed now.

Version 4.2 (4203)

Hotfix
4th December 2021

Security Fix

An authentication bypass vulnerability (CVE-2021-44676) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.

Version 4.2 (4202)

Minor
30th September 2021

Bug Fixes

  • Earlier, users were unable to access the 'Start' menu and the 'Taskbar' within a tab where a remote RDP session was in progress. This issue is fixed now.
  • Earlier, users from the 'Excluded Users' list could not perform any operation from the 'Actions' drop-down for selected connections in the UI. This issue is fixed now.

Security Fixes

  • Earlier, users, other than the connection owner were able to modify the configuration of connections that were locked using the access control settings via RestAPI URLs. This issue has been fixed now.
  • Users exempted from the access control workflow were able to newly configure, modify, and deactivate the access control settings of the connections owned by other users, using RestAPI URLs. This issue has been fixed.
  • Earlier, standard users who did not have the privilege to discover connections were able to initiate discovery tasks and import connections, view, add and delete discovery profiles using RestAPI URLs. This issue is fixed now.

Version 4.2 (4201)

Minor
30th June 2021

Bug Fixes

  • Users assigned with a custom user role were unable to initiate remote sessions from Access Manager Plus. This issue has been fixed now.
  • Previously, when the type of a shared connection, whose password was 'In Use', was changed as 'owned' during an active remote session, the status of the access request still showed as 'In Use'. From now on, the modified status of the access request will be properly shown as 'Request'.
  • Previously, the AD users, who were a part of an AD group already excluded from access control requests, imported into Access Manager Plus, were not automatically excluded from access control after the AD user sync. This issue has been fixed now.
  • Earlier, the character limitation of the 'reason for password retrieval' field that appears under the 'Connections' tab was 100, which has now been increased to 2500.
  • Previously, administrators and custom users assigned with the 'Create Custom Roles' user role could not access the approval notifications for adding and editing new roles from the 'Notification' icon. This issue is fixed now.
  • Previously, the SQL and VNC connection type users were able to view the 'Transfer Files' option under the 'Connections' tab. From build 4201 onwards, the 'Transfer Files' option will not be available for these users as it does not apply to their user roles.
  • Previously, connection owners were able to change the 'In Use' passwords of connections during active remote sessions. This issue has been resolved.
  • The non-functional chat window used by session collaborators in SQL and SSH remote sessions has been made functional now.

Version 4.2 (4200)

Major
31st May 2021

Enhancement

Customizable Access Control Settings
From build 4200 onwards, Access Manager Plus allows users to apply customized configuration settings for the connection access control feature. This enhancement comes with options that help users efficiently manage the request-release workflow for the connections.

A few of the customizable options that can be availed include:

  • Setting up of auto-approval of connection requests during specified periods.
  • Excluding certain users/user groups from going through the request-release workflow for the selected connections.
  • Sending timely reminders to the connection owners to approve access requests.
  • Customizing miscellaneous settings such as mandating users to provide a valid reason for password retrieval.
  • Providing grace time for users to continue the connection access before the forceful check back in of passwords.

Version 4.1 (4101)

Minor
8th January 2021

Enhancements

  • This release comes with improved security level checks for Cross-Site Request Forgery(CSRF) and HTTP request methods.

Version 4.1 (4100)

Major
3rd July 2020

Enhancements

  • Earlier, all connections, added to Access Manager Plus, were shared connections only, by default, and were publicly accessible by all users. Now, users have the choice of making their connections either as 'Shared' or 'Owned', where the 'Owned' connections are private and accessible by the connection owners only. Options are available under 'General Settings', for administrators to globally enable/disable session recording for Owned connections, and transform Access Manager Plus to Shared/Owned mode, at their discretion. Additionally, the bulk 'Edit Connections' option has been added, which allows the connection owners alone to enable/disable the 'Shared connection' and 'Access Control' options.

  • The PostgreSQL server used in Access Manager Plus has been upgraded to version 9.5.21.