Secret Server 11.7.000002 Release Notes

Release Date (On-premises): May 15, 2024

Critical security release—We recommend all Secret Server installations to be updated to this release immediately or at your earliest convenience.

This Security Release corrects the encryption key used in identity token generation to prevent third party decryption and modification of the authentication token, with a CVSS score of 7.5, with vector AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L.

This vulnerability was identified internally during our investigation of any earlier vulnerability that was resolved in version 11.7.000001.

This release invalidates currently issues authentication tokens, and will result in all logon sessions being invalidated. Users may need to reauthenticate to Secret Server after applying this update.

Delinea Platform and Secret Server Cloud

Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable.

Step Upgrade Process

A Step Upgrade is required from versions prior to 11.5.2 (11.5.000002) before you can upgrade to 11.7.2 (11.7.000002).
The automatic downloads in the product will get the right versions for the step upgrade and then allow the 11.7.000002 upgrade.
If offline and using the file upload method, versions prior to 11.5.2 will get an error message saying, "Integrity Check failed - Security Catalog is signed by thumbprint that is not specifically trusted." The remedy is to first upgrade to 11.5.000002 (or 11.5.000003) and then upgrade to 11.7.000002.

For instructions on upgrading in general, go to Upgrading Secret Server