Secret Server 11.7.000001 Release Notes
Release Date (On-premises): April 13, 2024
Security Update
We became aware of a critical vulnerability in the SOAP API which could allow an attacker to bypass authentication. The REST API was not impacted.
This update addresses the above security vulnerability and impacts all versions of Secret Server. Hashes the for upgrade have been updated for this change.
Details are available on the Delinea Trust Center. Please register and subscribe to get future updates directly to your inbox.
The direct link to the topic is Secret Server Vulnerability.
Remediation
The direct link to the topic is Secret Server Vulnerability.
Remediation
If your Secret Server instance is exposed to the public internet, you are at significant risk and you should perform these steps immediately.
-
Use the Remediation Guide to modify the Secret Server implementation to mitigate the vulnerability
-
As a precautionary measure rotate your passwords often until mitigation is in place.
-
Use the Remediation Guide to examine audit histories for any evidence of exploitation
-
As soon as the patch is available, patch all systems.
The support team is available to guide your team through these steps and answer any questions from you or your team.
Delinea Platform and Secret Server Cloud
Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable.
Step Upgrade Process
-
A Step Upgrade is required from versions prior to 11.5.2 (11.5.000002) before you can upgrade to 11.7.1 (11.7.000001).
-
The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.7.000001 upgrade.
-
If offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.000002 (or 11.5.000003) and then do the upgrade to 11.7.000001.
If You Cannot Upgrade to 11.7.1
If you are on an older version of Secret Server and you cannot upgrade to the latest version, please contact our support team for assistance and guidance.
-
Prevented Thycotic One sync from syncg Platform native users. This allows Platform native users to log in the rare situation they synced with Thycotic One. Then the administrator clears the system Platform User mappings.