Affected Products And Versions: Privileged Session Manager for SSH (PSMP), Self-Hosted – All versions prior to version 14.6.1 – All product subsets are affected

 
Resolution: 

Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.

 
PSM for SSH 14.6 (LTS) and its patches prior to 14.6.1 – Patch to version 14.6.1 – Download patch – Documentation

PSM for SSH 14.2 (LTS) and its patches prior to 14.2.3 – Patch to version 14.2.3 – Download patch – Documentation

 
Temporary Mitigation: 

There is no temporary mitigation available for this security bulletin.

HTML5 Gateway Container and RPM, Self-Hosted – All versions prior to version 14.6 (incl.) – All product subsets are affected

 
Resolution: 

Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.

 
Version 14.6 – Patch to version 14.6.1 – Download patch – Documentation

Version 14.2 – Patch to version 14.2.2 – Download patch – Documentation

Version 14.0 – Patch to version 14.0.2 – Download patch – Documentation

 
Temporary Mitigation: 

There is no temporary mitigation available for this security bulletin.

Affected products and versions:

Vault Self-Hosted – All versions

* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.

** Relates only to versions that are within their development life cycle. Please refer to our End of Life policy for details.

Resolution

Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.

Installed Version:

Vault 14.6 and its patches prior to 14.6.2 – Patch version 14.6.2 – https://www.cyberark.com/CA25-33-VaultSH-14.6.2  – docs

Vault 14.2 and its patches prior to 14.2.4 – Patch version 14.2.4 – https://www.cyberark.com/CA25-33-VaultSH-14.2.4 – docs

Vault 14.0 and its patches prior to 14.0.5 – Patch version 14.0.5 – https://www.cyberark.com/CA25-33-VaultSH-14.0.5 – docs

CyberArk recommends enforcing strong password complexity requirements for all system accounts, including both human and non-human users. For detailed settings, please refer to the passparm.ini configuration file.

PAM on Cloud customers: CyberArk will not release AWS AMIs and Azure VM Images. Customers should run the upgrade process on the provided images following deployment.

Temporary mitigation

There is no temporary mitigation available for this security bulletin.

Exploited in the wild in a CyberArk environment

Not to the best of CyberArk’s knowledge.

Technical FAQ

Do I need to upgrade my Disaster Recovery Vault, PAReplicate, and EVD as well?

Disaster Recovery Vault and EVD versions (and patch version) need to be aligned with the Vault’s patch version.

PAReplicate should be the same minor version as the Vault (for example, PAReplicate 14.2 is compatible with Vault 14.2.2).

As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.

Affected products and versions:

Central Credential Provider (CCP) – Versions 14.0 and 14.2 – Versions prior to 14.0 are not affected

* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.

** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.

Resolution

Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.

Installed Version: 

14.0, 14.2, and their patches prior to 14.2.4 – Patch Version 14.2.4 – https://www.cyberark.com/CA25-32-CCP-14.2.4 – Upgrade the Central Credential Provider(CCP) Note: Ensure that you upgrade the CCP’s Credential Provider (CP).

Temporary mitigation

There is no temporary mitigation available for this security bulletin.

Exploited in the wild in a CyberArk environment

Not to the best of CyberArk’s knowledge.

Technical FAQ

Are Credential Provider (CP) and Application Server Credential Provider (ASCP) also affected by this issue?

Yes. Credential Provider versions 14.0 and 14.2, including all patches prior to version 14.2.4, are affected by this issue. However, due to the limited attack vector, it is scored as medium severity and does not merit a bulletin announcement. The Application Server Credential Provider relies on the Credential Provider and is therefore also impacted by this issue (at medium severity).

A fix is available in Credential Provider version 14.2.4: https://www.cyberark.com/CA25-32- CP-14.2.4.

As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.