We are proud to announce the 16.1 release of Topicus KeyHub. This release brings major improvements to the virtual appliance when running without an internet connection. The Topicus KeyHub application itself sees some nice features for managing larger installations. As usual, a number of smaller improvements have been made and several issues have been fixed.
Important notice: Possible privilege escalation
TKH-1413 An error in the LDAP query for the external UUID of a provisioned system, could cause an attacker to craft a malicious duplicate linked system to try to gain access to groups on a system. For this, the attacker would need access to the credentials of the linked system, know the configuration of the system and be member of a group with technical administration in Topicus KeyHub. This makes this attack difficult to perform and easy to detect, but it poses a risk nonetheless. We therefore recommend all installations to be upgraded to version 16.1.
Cleaning up orphaned accounts
TKH-784 When using Topicus KeyHub in a dynamic organization, people come and people go. This can leave you with a buildup of orphaned accounts in Topicus KeyHub: accounts that no longer exist in your directory, but still exist in KeyHub. Users can no longer login with these accounts, but they create clutter and can cost you license entries. These accounts can now easily be removed in bulk with just a few clicks.
TKH-1392 It has always been the task of KeyHub administrators to perform account recovery when a user lost his or her two-factor authentication codes. It is now possible to delegate this responsibility to a separate group of users: the help desk group.
TKH-1373 Several small improvements were made to the browser extension. It is now able to detect login forms on pages that do not adhere to the HTML standards and do not put the login fields inside a form tag. Also, when the login form is placed inside an iframe, the extension now shows records for both the iframe url and those of the browser tab. Finally, the extension now remembers search queries per tab. This greatly enhances the user experience when you have to enter multiple values manually in several steps.
Virtual Appliance offline mode
TKH-1403 Starting with Topicus KeyHub 15.1 we publish both a network and an offline installation package for the appliance. Upgrading an offline installation used to be a lot of work requiring a backup and restore, but not anymore: you can now update your installation via a special update package. In addition, several other improvements were made to the appliance to run it in an offline environment:
TKH-1391The NTP servers can now be configured.
TKH-1394It is no longer possible to combine Let's Encrypt and offline mode in the configuration.
TKH-1395When running offline, the configuration management will no longer try to access online software repositories.
TKH-1398Support for an additional RPM repository was added to allow the installation of updates in an offline environment.
TKH-1406An offline installation will no longer show incorrect system updates on the dashboard.
The following smaller improvements and bug fixes were made:
TKH-888Topicus KeyHub now keeps track of when a user uses a group.
TKH-991Tests were added to several webhook scenario's.
TKH-1350Some textual changes were made to the audit pages.
TKH-1365It is now possible to filter on a type under manage access.
TKH-1383A maximum file size is set for logo's on the launchpad.
TKH-1384The disabled checkbox for a launchpad tile is made more distinguishable from a non-disabled checkbox.
TKH-1388The back-end now also returns vault secrets when the query targets a single record.
TKH-1389In addition to basic authentication and a bearer token, it is now possible to set custom authentication headers on webhooks.
TKH-1390The loading of launchpad icons has been improved.
LICENSE_KEY_UPLOADEDwas missing for webhooks.
TKH-1397A missing security check allowed detection of existence of vaults when the user did not have permission to read the vaults in question.
TKH-1399An off-by-one in the check on user limit for a license made it impossible to claim the last user of the license.
TKH-1400The session count on the about page also showed sessions for automated clients.
TKH-1401During the installation it was impossible to add trusted certificates.
TKH-1402Creating a vault record without any secrets caused an error.
TKH-1407Combining static provisioning with source directory provisioning not always enabled the group on the directory for accounts already member of the group in Topicus KeyHub.
TKH-1409Some of the docker volumes in the appliance were unnamed, causing the state to be lost on an upgrade.
TKH-1411Some of the indexes on the audit record table in the database were not used but took a lot of space on the disk.
TKH-1412The audit log entry when a group membership expired was made more clear.
TKH-1414During an update an erroneous e-mail was sometimes sent indicating a snapshot was not cleaned up.
TKH-1415A performance regression on the about page was fixed.