Secret Server 11.7.000015 Release Notes

On-premises: May 22, 2024

Out of an abundance of caution, we are temporarily pulling down SS version 11.7.15 (on-premises) to resolve a problem with older versions of RabbitMQ (before 3.10) impacting DE version 8.4.31, which is shipped with SS 11.7.15. If you still require version 11.7.15, please contact Delinea Support to assist you further. You may install it as long as you do not upgrade the DE to version 8.4.31. We are working on resolving this issue and releasing an update within the next two weeks. This issue does not impact Secret Server Cloud.

Component Versions

Distributed Engine and Advanced Session-Recording Agent: 8.4.31.0

Protocol Handler: 6.0.3.28

If your protocol handler version is 6.0.3.26 or lower, you must manually upgrade to a higher version. Automatic upgrades will not work for versions 6.0.3.26 or below. However, if your protocol handler version is 6.0.3.27 or higher, the automatic upgrade will function properly.

Features

Entra ID Secret Template for RPC

Secret Server has supported Azure AD remote password changing for several years, this overhaul creates a new password changer and template, Entra ID, that uses Oauth application credentials as a privileged account to change a user password. Entra ID is Microsoft's comprehensive cloud-based identity and access management solution that helps organizations securely manage identities and access across their Microsoft services and applications. Our password changer and template support MFA and conditional-access policies and does not require PowerShell.

Enhancements

  • Enhancement: Updated PuTTY to version 0.81. The new version addresses several PuTTY vulnerabilities, including the Terrapin vulnerability.

  • Enhancement: Added AIX support for SSH Proxy su automatic password entry.

  • Enhancement: Added the same-site attribute to browser cookies, which is a security feature that helps prevent cross-site request forgery (CSRF) attacks. Same Site attribute value was set to lax to create a balance between security and usability.

  • Enhancement: Increased back-end performance of event queue processing when there are a lot of inbox rules.

  • Enhancement: Security issue contact instructions are now available at ./well-known/Security as specified in RFC9116.

  • Enhancement: Significantly improved the performance of secret searches when using displayed secret fields.

  • Enhancement: Updated Secure Blackbox to latest version. Secure Blackbox FIPS support was updated in documentation.

  • Enhancement: Updated SSH functionality through Secure Blackbox to address Terrapin.

Bug Fixes

  • Fixed "Secret Erase" translation in some non-English languages.

  • Fixed a critical security vulnerability in the SOAP webservice.

  • Fixed a policy validation issue that occurred when using a $itemvariable.variablename in schedule pipeline minutes.

  • Fixed a UI issue where some site connectors were incorrectly showing as disabled.

  • Fixed a visual bug when checking out a secret.

  • Fixed an issue were a command would fail to enter vi or vim mode and would allow blocked commands. Also fixed an issue where using su before vi or vim would fail and would allow blocked commands.

  • Fixed an issue where a ticket number was not present in SIEM logging.

  • Fixed an issue where an error dialog appeared when adding a dependency with associated secrets.

  • Fixed an issue where deleting computers from the discovery network view failed to show a confirmation dialog box before continuing.

  • Fixed an issue where Handling secrets that fail heartbeat/password changes when using a PowerShell script threw a MaxShellsPerUser exception. For heartbeat: Added a new heartbeat status called "NeedsImmediateRetry" to bypass the secret-template retry interval. For Password Change: Ensured the retry attempts are not increased after failure.

  • Fixed an issue where launching a secret from the new search would launch the first secret from the results returned, not the selected secret.

  • Fixed an issue where OAuth parameters were not validated. The OpenIdConnect flow has been adjusted to validate the redirection URI.

  • Fixed an issue where removing fields from discovery scan templates threw a disableField error.

  • Fixed an issue where searching for a quotation mark could cause an error.

  • Fixed an issue where secret export/import links in the All Settings Category view were missing.

  • Fixed an issue where users other than owners could view TOTP backup codes.

  • Fixed an issue where users with MFA enabled would be incorrectly sent to the home page on login, instead of the page they were attempting to access.

  • Fixed an issue where IWA prevented DR sync calls from being processed correctly.

  • Fixed an issue with adding discovery sources that match the domain of a current secret.

  • Fixed an issue with key utilization within SOAP and REST API token generation.

  • Fixed and issue where toggling a favorite secret triggered a grid refresh.

  • Fixed issue where the "su -id" command was failing when the user did not have access to view the password for the secret they were elevating to.

  • Fixed issues that could cause incorrect group or user interactions between Secret Server and Platform. We corrected an issue with Platform group synchronization that would not correctly add all group memberships when synching over 1000 groups.

  • Fixed some issues with easy-move edge cases and system display.

  • Fixed timeouts for large amounts of data—paging for user audits is now done in the database.

  • Fixed unclear RPC logging. Updated the log message to clearly indicate when a password sets the next run time and is not doing a change attempt.

  • Improved the placement of Secret Server user admin and role links. They are now on the top level in All Settings under the category header.

  • Improved the UI for SSH cipher pages.