Active Roles 7.4
Extensive internal testing has revealed that the latest release of Active Roles 7.4.0 has the potential to contain a systems vulnerability if very specific deployment configurations are implemented. Please note that this vulnerability does not apply to previous versions of Active Roles and is unique to 7.4 only, and only when Federated Authentication is used.
How does this affect me?
Testing exposed a potential vulnerability in Version 7.4.0 of Active Roles whereby, under very specific circumstances the Web Interface may allow users with lower privileges to impersonate an IIS logged on user when Federated authentication has been enabled. Please note: the risk of exploitation is strictly limited to configurations which have Federated Authentication enabled. If Federated Authentication is not enabled, there is no risk of any potential exploitation.
There are two methods to resolve the potential security vulnerability.
Either method described above will eliminate any risk of this potential threat for Active Roles 7.4 customers.
StatusActive Roles server 7.4.0 has been removed from the One Identity Support Portal. It has been replaced by Active Roles 7.4.1.