Host Access Management and Security Server - Release Notes

November 2022

Host Access Management and Security Server (MSS) version 12.8.0.6 released November 2022.

1.0 What’s New

All MSS releases are cumulative, and contain the features introduced in earlier releases. For previous versions, see MSS Documentation.

1.1 Features and Fixes

  • Apache Commons Text library updated to version 1.10.0 to mitigate CVE-2022-42889 (12.8.0.6)

  • Apache Shiro library updated to version 1.10.0 to mitigate CVE-2022-40664 (12.8.0.6)

  • Removed the JXPath library to mitigate CVE-2022-41852 (12.8.0.6)

  • Applied security updates to address multiple CVEs. (12.8.0.5)

  • Thymeleaf library updated to version 3.0.15 to mitigate CVE 2021-43466. (12.8.0.4)

  • Log4j library updated to version 2.17.1 to mitigate CVE 2021-44832. (12.8.0.3)

  • Log4j library updated to version 2.16.0 to mitigate CVE-2021-44228 and CVE-2021-45046 (12.8.0.1)

  • TLS 1.3 is supported and enabled. Clients that do not yet support TLS 1.3 will fall back to TLS 1.2. (12.8)

  • Windows Authentication - Kerberos is available for end users launching HACloud sessions via the session server or Reflection Desktop when configured for centralized management. (12.8)

  • Management and Security Server (MSS) has been made more secure by using only HTTPS. (12.8)

  • Communication from the Security Proxy to MSS when exporting settings has been upgraded to HTTPS. (12.8)

  • Rumba+ Desktop 10.1 SP1 (or higher) sessions may now be launched from the Assigned Sessions list. (12.8)

  • If the Metering administrator password is forgotten, you can easily reset it to the Administrative Console password. (12.8)

  • You can add Subject Alternative Names to certificates while installing HACloud and MSS. (12.8)

1.2 Changes in Behavior and Usage

  • MSS now uses HTTPS exclusively to increase security. HTTP has been disabled on all endpoints.

    NOTE:In upgrades, where clients had been configured to access Metering or the Terminal ID Manager over HTTP, those clients must be updated to use the HTTPS port. The MSS Certificate also needs to be imported to the appropriate certificate / trust store, if not already done. (12.8)

  • TLS 1.0 and TLS 1.1 have been removed. Both TLS 1.2 and TLS 1.3 are available. (12.8)

  • As a result of updated encryption libraries, customers who use headless server-based installations may experience system delays if system entropy is too low. Insufficient entropy may lead to the installation process hanging or degraded server performance. Some platforms already install and enable an entropy service by default, and the issue will not be noticed. If needed, a hardware or software solution can remedy the issue. See the Knowledge Base article, Ensuring Sufficient Entropy to Avoid System Delays. (12.7.2)

  • Upon upgrading the Security Proxy, if a proxy port has only a DSA certificate, the port will not support TLS 1.3; however, it will continue to allow TLS 1.2 and lower protocols. TLS 1.3 is not compatible with a DSA certificate. (12.7.2)

    Use the Security Proxy Wizard to adjust the configuration to support the desired TLS protocols. The Security Proxy Wizard, as well as the Security Proxy Server log files, will indicate any configuration mismatches that prevent TLS 1.3 operation.

2.0 Known Issues

If you encounter these or other issues with Management and Security Server, contact Micro Focus Support.

  • NTLMv2. Customers using Windows Authentication - NTLMv2 as their authentication method are subject to the “Netlogon Elevation of Privilege Vulnerability” (CVE 2020-1472). (12.7).

    To mitigate this vulnerability, use a different authentication method such as Windows Authentication - Kerberos, LDAP, SAML, Single Sign-on through IIS, X.509, or SiteMinder. For more information see Knowledge Base article 7024851.

    NOTE:With the addition of Windows Authentication - Kerberos, support for NTLMv2 will be removed in an upcoming release.

  • Authentication to the MSS Server using Window Authentication - NTLMv2 with Internet Explorer (IE) 11 does not work in MSS 12.7.2 or higher. Attempts to access the Assigned Sessions list or Administrative Console result in an unrelenting spinner. (12.7.2)

    Workarounds: Use another supported browser, such as Microsoft Edge or Google Chrome—OR—use a different authentication method, as mentioned above.

3.0 Contacting Micro Focus

Check these online resources.

For specific product issues, contact Micro Focus Support.