LogonBox SSPR 2.4.8 – Now Available

Windows two-factor authentication

Introduction

LogonBox is pleased to announce the immediate availability of LogonBox SSPR 2.4.8.

This release includes further performance improvements to some database calls (which were previously only available via a system property), as well as some further improvements to other database calls

More granular system permissions are now available for managing secondary accounts and the LogonBox Authenticator.

More performance improvements

The most commonly called database query has been improved by a factor of 100, which will reduce CPU load on a busy system.

This new feature is now enabled by default in this release, so all systems can take advantage of these improvements. 

While we were working on performance, some further improvements were identified and optimised, resulting in a noticeable improvement in page load times on servers with many users.

New permissions

LogonBox has always had a very granular set of permissions when delegating admin rights, so you can target only the permissions you want to grant. One area where such granular permission did not exist was the right to manage users on secondary directories, but these permissions have now been added.

Another new permission (Authenticator Personal) has been added for end users. This allows you to turn off the LogonBox Authenticator QR code on a user’s profile page when they log into their account.

Password generator

LogonBox has a password generator available during password resets. It automatically suggests a strong password that meets the password requirements.

It is now possible to disable this feature if you do not want this to happen.

Vulnerability scan updates

We have done the following in this release to resolve some reports from vulnerability scans.

  • The logging framework for the Callback Service has been moved from Log4J to Reload4J to resolve this being flagged in vulnerability scans. The service was not susceptible to any reported vulnerabilities, but this change should stop scanners from reporting this as a false positive.
  • The HTTP Strict-Transport-Security preload directive has been added to all requests. This isn’t technically required, as our HTTP interface only redirects to HTTPS, but adding this directive will stop vulnerability scanners from reporting on this unnecessarily.

Upgrade Instructions

You can directly upgrade from the web UI or the operating system.

To upgrade from the web UI, log on to your admin account, navigate to Server Status from the main dashboard, and click Update. If you have Updates, Features & Licensing->Update Prompt turned on, you may also be prompted automatically upon login.

 

To upgrade from the operating system:

On Windows – download the new installer, run the installer, and follow the prompts.

 

On a LogonBox VM – from a shell, type in:

apt update
apt upgrade

 

If you are still running a version before 2.3, you will need to perform some extra steps from the OS, as detailed here:

https://docs.logonbox.com/app/manpage/en/article/6172513

Our support team will upgrade Cloud customers over the coming week.

 

Changes

Here is a summary of the changes in this release.

Features

  • Significant performance improvements to some database calls.
  • The database improvement that was added in 2.4.6 as an optional property is now the new default, so all customers will benefit from the most commonly called database query being improved by a factor of 100, which will reduce CPU load significantly on a busy system.
  • Added a new permission, Authenticator Personal. This enables the LogonBox Authenticator setup in a user’s My Credentials page.
  • Moved logging framework for Callback Service from Log4J to Reload4J to resolve vulnerability report (was not susceptible to the vulnerability, but this will stop vuln scanners reporting a potential issue).
  • Added HTTP Strict-Transport-Security preload directive to all requests. This isn’t technically required as our HTTP interface is only there to redrect to HTTPS, but adding this directive will stop vulnerability scanners complaining about this missing item.
  • An admin can now reset a user’s profile state for Duo credentials from the User Directory page.
  • Added hints to the text fields for Security Questions on the profile setup wizard to make it clear that a user needs to set and confirm an answer.
  • SMS messaging now accepts HTTP 202 responses, which some messaging providers use.
  • Added new account locked event when we detect an AD account has become locked.
  • Added permissions to allow delegation of rights to manage users on Secondary Directories
  • The password generator on the reset password prompts can now be turned off (Authentication Flows->Authentication Options->Password Reset->Password Generator).
  • Added daily server log file rolling for Windows installs, to match how this is done on the VM appliances

Bugs

    • On browser windows less than 1100 pixels wide, the user list in User Directory now displays as expected rather than getting pushed down the page.
    • Add All, Remove All and Reset actions in multi-select fields are now correctly showing as buttons rather than links and have a consistent text size.
    • The column filter on the Users page had a blank entry. This is now correctly named after the Actions tab and shows/hides the Actions column.
    • Features can now be removed again from Updates, Features & Licensing.
    • The setup prompt for the LogonBox Authenticator QR code now has the app store icons below it correctly justified.
    • Removing a Role from a user in the Roles tab when a user object has been expanded with the + button now works again.
    • If an AD user is locked, you can no longer log into LogonBox if you have Cache Passwords turned on.
    • Fixed an issue with registering a ToTP authenticator (Microsoft, Google, Authy) on a sub-realm if using the Realm Selector dropdown. This now registers correctly again.
    • Fixed prompts for PIN on profile completion wizard which was not happening if User Selective 2FA was also in use.
    • Altered server log rolling so that logs roll over once per day as they used to. A bug was introduced with the Log4J2 upgraded where logs would rotate every 20Mb and then never get cleaned up after their max age.
    • Attachments can be sent on a message template again
    • Fixed an issue where you couldn’t update the user directory configuration when the UI was set to Portuguese language.
    • Removed redundant search buttons for filter input text boxes on System Configuration->SSL.
    • Added an expiry time to some of the recently introduced caching to reduce memory load over time.
    • Altered JSON response returned on bad username during login to not return the username (only happened previously when verbose errors were on which falsely triggered some vulnerability scanners).
    • It’s possible to add multiple certificates to the HTTPS Interface again.
    • When you edit a user, any read-only fields (such as the ones in the status tab) are now correctly showing as uneditable labels rather than text entry fields or dropdowns.
    • Users can now be deleted successfully if they had previously set a PIN. (DB cascade)
    • When creating a new AD account via LogonBox, the user’s UserAccountControl attribute is now correctly set to 0x0200 (NORMAL_ACCOUNT).
    • Fixed up hyperlink for end user SAML Browser Resources so clicking on the name now have the same action as Actions->Launch.
    • Fixed some issues with the Credentials Provider not working as expected with Password Reset and RDP MFA.