Security Advisory 2022.11

Security Advisory for Login Enterprise

Login VSI identified a critical vulnerability that allows for unauthenticated access to Login Enterprise.

The vulnerability could be exploited to allow configuration access and remote code execution. The security advisory impacts Login Enterprise versions 4.1.x to 4.9.9. Login VSI has released a patch to resolve the issue in version 4.9.10.

 

Impacted Software Versions

Login Enterprise 4.1.x - 4.9.9

 

Severity

This is a critical vulnerability; immediate remediation is recommended the expected resolution time is 30 minutes when performing an online upgrade.

 

Recommendations

Login Enterprise 4.9.x customers, are recommended to perform an online update to version 4.9.10  in case this is not possible a offline update is available.

Login Enterprise 4.8.x customers, are recommended perform an online update to version 4.9.10 in case this is not possible a patch is available (not recommended).  

Earlier versions should be patched to at least version 4.8.10. However, we strongly recommend that customers evaluate a full version upgrade to version 4.9.10.

For updates, please check this knowledge base article regularly.

 

Upgrading to Login Enterprise 4.9.10

For existing Login Enterprise customers, online upgrades are possible. Customers may upgrade directly within the product. Additional information is available in a Knowledge Article.

For customers that want to upgrade offline, you may download the upgrade ISO file to Login Enterprise 4.9.10 here.

 

Workaround

No workaround available.

 

Contact

We appreciate and value having security concerns brought to our attention. Login VSI constantly monitors for both known and unknown threats.

If you are a Login VSI customer with a security-related support concern, you can contact Login VSI customer support at support@loginvsi.com. You may also create a ticket through the Knowledge Base.

 

Disclaimer

The identified security vulnerability remains if you do not complete all recommended steps. Login VSI is not responsible for any consequences that could have been avoided by following the recommendations in this notification.

 

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty. Login VSI reserves the right to change or update this document at any time. Login VSI expects to update this document as added information becomes available.

 

Revision History

2022-09-11: Published advisory

2022-10-11: Announced public availability of 4.9.10 patch release