-
Title
TPAM Hotfix 10336 for Solution 263370 - Fixes for password complexity and token validation -
Description
This hotfix includes the changes outlined in the following sections. One Identity may generate additional hotfixes for future releases of the product.This hotfix addresses issues in 2.5.915 relating to Password complexity and token validation. The minimum version for installing this hotfix is 2.5.915.Resolved Issues:Password is being sent in clear text in the URL when creating a UserID.When creating Admin UserIDs the CSRF token that is being sent to the server is not being verified which is leading to CSRF attack regardless of the Token usage. -
Resolution
Please download the hotfix, TPAM Hotfix 10336 for KB 263370, attached to this KB.
Resolved issues
The following is a list of issues resolved in this hotfix.
Issues resolved in hotfix 10336:Resolved Issue Issue ID Password is being sent in clear text in the URL when creating a UserID.When creating Admin UserIDs the CSRF token that is being sent to the server is not being verified which is leading to CSRF attack regardless of the Token usage.10336 Applicability of this hotfix
Products affected by this hotfix:Product Name Version TPAM 2.5.915
To install the hotfix1. Take a backup of the TPAM appliance.
2. Copy the supplied .zip file to your local computer.
3. Log in to the TPAM /admin interface.
4. Select Maint | Apply a Patch from the menu.
5. Click the Select File button.
6. Click the Browse button. Select the patch file that you saved locally.
7. Click the Upload button.
8. Type xmkqLeCK4Q in the in the Key box.
9. Type /genkey in the Options box.
10. By default, if you are applying a patch to a primary member of a cluster, the replicas in the cluster will be listed and highlighted in the Target Replicas list. If any of the replicas are deselected, the patch will not be applied to it. The replica can be patched at a later date by logging on directly to the /admin interface of the replica. If the software version numbers (excluding the build number) of the primary and the replica still match them the primary will still be able to send data to the replica. We recommend that you contact Technical Support before deciding to deselect any of the replicas on this list.11. Click the Apply Patch button.
12. A reboot is recommended after successfully applying this patch to an appliance.
Verifying successful installation
To determine if this hotfix is installed:
1. Click the Patch Log tab.
2. To set the log refresh interval, select Refresh Results every X seconds.
3. Once the hotfix has been applied there will be a message in the patch log stating “Patch successfully applied to system”.
Removing this hotfix
To remove this hotfix:
1. To remove this hotfix the TPAM appliance can be revert to a snapshot through the Kiosk and a backup of the most recent data can then be restored. -
Attachments