Security Enhancements
    • 30 Nov 2022
    • PDF

    Security Enhancements

    • PDF

    Article Summary

    Increased security around server information.

    Tightened security against potential XSS attacks via the Linked SRs field.

    Tightened security against potential XSS attacks in the Asset Dashboard.

    Improved Patch Management implementation mechanism to resolve Apache HTTPD vulnerability errors.

    Tightened security to prevent potential XSS (cross-site scripting) attacks.

    Added validation when end users self-registered for the Self-Service Portal. This covers CVE-2021-43974.

    Tightened security to prevent potential SQL Injections in SysAid’s old mobile portal. This covers CVE-2021-43971.

    Tightened security around uploading image files and the type of files that users can upload in SysAid. This covers CVE-2021-43972 and CVE-2021-43973.

    Tightened security around change password capability in the My Settings page.

    We upgraded to the latest Apache released version 2.17.1 to continue addressing the log4j vulnerability.

    Please note that as part of our ongoing commitment to security, we’re tightening the secured connection to our services. As of May 10, 2020, we’ll be blocking the older non-supported TLS protocol versions 1.0/1.1, and will only allow the more advanced secured versions.

    So please be aware that if you’re using very old browsers, you won’t be able to access our services. You’ll need to ensure that all machines that are running the SysAid agent use a .NET Framework of 4.6 or higher that supports higher TLS protocols. For details on browser support for TLS versions, please read here.

    Enforced timeout functionality has been expanded to cover more cases of session inactivity.

    Tightened security around access to LDAP Imported users via the API. This covers CVE-2021-36721.

    Tightened security around uploading files in SysAid. This covers CVE-2021-22796.

    Tightened security around access for non-admin users. This covers CVE-2022-22798.

    Tightened security against potential Cross-Site Scripting (XSS) attacks. This covers CVE-2022-23165.

    Tightened security around access to vulnerable files in the SysAid server. This covers CVE-2022-23166.

    Upgraded Tomcat to build 64 to protect against potential DoS attacks. This covers CVE-2022-29885.

    Tightened security around access to SysAid’s GraphQL scheme. This covers CVE-2021-41249.

    Tightened security against potential XSS and SQL injection attacks.

    Added validation of file types when attachments are uploaded to SysAid via Chat.

    Tightened security for SysAid login around password validation and Captcha display.

    Upgraded to the latest version (1.10.0) of JAR to fix Apache Commons Text vulnerability. This covers CVE-2022-42889.

    Upgraded the Patch Management implementation to Apache HTTPD version 2.4.53 to prevent vulnerability errors.