Security Advisory for Login Enterprise
Login VSI identified a critical vulnerability that allows for unauthenticated access to Login Enterprise.
The vulnerability could be exploited to allow configuration access and remote code execution. The security advisory impacts Login Enterprise versions 4.1.x to 4.9.9. Login VSI has released a patch to resolve the issue in version 4.9.10.
Impacted Software Versions
Login Enterprise 4.1.x - 4.9.9
Severity
This is a critical vulnerability; immediate remediation is recommended the expected resolution time is 30 minutes when performing an online upgrade.
Recommendations
Login Enterprise 4.9.x customers, are recommended to perform an online update to version 4.9.10 in case this is not possible a offline update is available.
Login Enterprise 4.8.x customers, are recommended perform an online update to version 4.9.10 in case this is not possible a patch is available (not recommended).
Earlier versions should be patched to at least version 4.8.10. However, we strongly recommend that customers evaluate a full version upgrade to version 4.9.10.
For updates, please check this knowledge base article regularly.
Upgrading to Login Enterprise 4.9.10
For existing Login Enterprise customers, online upgrades are possible. Customers may upgrade directly within the product. Additional information is available in a Knowledge Article.
For customers that want to upgrade offline, you may download the upgrade ISO file to Login Enterprise 4.9.10 here.
Workaround
No workaround available.
Contact
We appreciate and value having security concerns brought to our attention. Login VSI constantly monitors for both known and unknown threats.
If you are a Login VSI customer with a security-related support concern, you can contact Login VSI customer support at support@loginvsi.com. You may also create a ticket through the Knowledge Base.
Disclaimer
The identified security vulnerability remains if you do not complete all recommended steps. Login VSI is not responsible for any consequences that could have been avoided by following the recommendations in this notification.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty. Login VSI reserves the right to change or update this document at any time. Login VSI expects to update this document as added information becomes available.
Revision History
2022-09-11: Published advisory
2022-10-11: Announced public availability of 4.9.10 patch release