Background

Before the release of UCM 6.0.3, users were required to install the USO Chrome Extension in their Chromium-based browsers to use the single sign-on feature from UCM Web Access.

Currently, UCM customers are using USO Chrome Extension (Manifest V2).

* For users who have installed USO Chrome Extension (Manifest V2) in their browsers, please note that Google has announced that it will gradually disable Manifest V2 extensions moving forward.

In light of the above, the UCM Client needs to be upgraded to prevent reliance on USO Chrome Extension (Manifest V2). All required functionalities will still be available using the UCM Chrome Extension (Manifest V3). Users are thus advised to upgrade accordingly.

UCM Chrome Extension (Manifest V3) Features:

• Allows interaction with UCM Client when using UCM Web Access from a Chromium-based Browser.
• Allows single sign-on from a Chromium-based Browser Launcher.

Solution

Since UCM 6.0.3, the USO Chrome Extension will no longer be used for UCM. To simplify the deployment on the client side, only the UCM Chrome Extension (Manifest V3) will be used.

Execution Versions：

• UCM 6.0.5.0520-GA
• UCM 6.0.4.0416-GA-E03
• UCM 6.0.3.0319-GA-E12

Suggested Upgrades for Existing Users：

• For those using UCM 6.0.4, please upgrade to either UCM 6.0.4.0416-GA-E03 or the latest UCM version.
• For those using UCM 6.0.3, please upgrade to either UCM 6.0.3.0319-GA-E12 or the latest UCM version.
• For those using UCM 5.6.2, please upgrade to either UCM 5.6.2.6209-GA-E17-U04 or the latest UCM version.
• For those using UCM 5.6.4, please upgrade to either UCM 5.6.4.6406-GA-U02 or the latest UCM version.
• For those using UCM 5.6.8, please upgrade to either UCM 5.6.8.6807-GA-E16-U33 or the latest UCM version.

Note: If you are using a version of UCM 5.6.X (excluding versions 5.6.2, 5.6.4, and 5.6.8, which are available with upgradable patch packages), only USO Chrome Extension Manifest V2 is supported.

F.A.Q.

Q1. How do I install the UCM Chrome Extension for Chromium-based browsers?

The instructions for the installation are as follows:

1. Visit the Google Chrome Web Store. （URL：https://chrome.google.com/webstore）
2. Search for “UCM Chrome Extension” and click “Add to Chrome”.

Q2. How do I configure the Chromium-based Browser Launcher?

The configuration steps are as follows:

Log in to the UCM Console, create the Chromium-based Browser Launcher, and fill in the required fields:

1. Fill in the “*Server Hostname or IP Address” field with the IP address of the target resource.
2. Fill in the “*Launch URL” field with the Launch URL of the target resource, e.g. “/login.php”.
3. Fill in the relevant “*Javascript code” fields. You may refer to the sample code “*Javascript code to login” as an example.

v1=this.document.getElementById(“user_login”);v1.value=userid;

v2=this.document.getElementById(“user_pass”);v2.value=oldpwd;

v3=this.document.getElementById(“submit”);v3.click();

Where “userid” and “oldpwd” should be changed to the “User Id” and “Password” of the corresponding credential.

Notes: To use this launcher, please ensure that the UCM Connector Gateway has been installed on the server side.

The corresponding connector type for this launcher is Web Portal Connector with Chrome.

Q3. What are the implications if I do not plan on updating UCM？

As the USO Chrome Extension is reliant on Manifest V2, its support will be dependent on the date when Google disables the Manifest V2 extensions. Subsequently, the UCM Client will encounter an “offline” issue when the UCM customer attempts to log in to UCM Web Access.

Solution:

You should check if the UCM version that you are currently using has an available patch package. If there is a patch package available, you can proceed to upgrade using that patch. If there is no corresponding patch package available for your current UCM version, you will need to upgrade to the UCM version specified in the “Execution Versions” section.

Background

The USO Chrome Extension [Chrome Extension ID: cfaiemjbjcbagnibmlflmmfccfdmnbek] is used by the SSO Portal and USO Client to achieve Single Sign-On (SSO) for web apps on the Chrome web browser. This USO Chrome Extension, which is published in the Chrome Web Store, uses the Manifest V2 format. Manifest is a file format defined by Google for Chrome Extensions and their metadata. Google announced the move to Manifest V3 (a new Manifest version) several years ago. However, this transition to V3 was delayed several times.

Recently, on 16 Nov 2023, Google gave the final deadline for this transition:
“We will begin disabling Manifest V2 extensions in pre-stable versions of Chrome (Dev, Canary, and Beta) as early as June 2024, in Chrome 127 and later. Users impacted by the rollout will see Manifest V2 extensions automatically disabled in their browser and will no longer be able to install Manifest V2 extensions from the Chrome Web Store.”
Source: https://developer.chrome.com/blog/resuming-the-transition-to-mv3/ (URL accessed on 15 Jan 2024)

Due to this transition, USO customers are advised to upgrade to USO Chrome Extension (Chrome Manifest V3) [Chrome Extension ID: bfffjeneelooklefkmdigdfpnpfnfeac]. This Manifest V3 extension can be found on the Chrome Web Store at the following link: https://chrome.google.com/webstore/detail/uso-chrome-extension-chro/bfffjeneelooklefkmdigdfpnpfnfeac. The earliest version of the USO Client certified to work with this Manifest V3 extension is USO Client 5.6.2.0013-GA-E11.

F.A.Q.

Q1. Can I continue to use the SSO Portal if I do not upgrade?
Our understanding is that if you do not upgrade your Chrome browser version, you can still continue to use the SSO Portal with the current USO Chrome Extension (Manifest V2). However, the Manifest V2 extension will no longer receive new features or bug fixes from i-Sprint.

Q2. What is the difference between USO Chrome Extension Manifest V2 and V3?
New features and bug fixes for the USO Chrome Extension will only be added to the Manifest V3 extension.

Q3. Why can’t i-Sprint provide new features or bug fixes for USO Chrome Extension (Manifest V2)?
To produce the Chrome extension .crx file, i-Sprint would have to upload our compiled source codes to Google for scanning and approval. As Google has stopped accepting uploads using Manifest V2, i-Sprint can no longer provide a new .crx file using Manifest V2.

Q4. Can I still find and install USO Chrome Extension (Manifest V2) in the Chrome web store?
At the time of this notification, it is still available in the Chrome Web Store. However, Google may remove it in the near future (as mentioned in their blog post, which is referenced above in the Background section).

Q5. Can I still install USO Chrome Extension (Manifest V2) using the .crx file provided by i-Sprint?
This depends on the Chrome version used. At the time of this notification, it is still possible to install the Manifest V2 extension using the .crx file provided by i-Sprint. However, in newer versions of Chrome, Google will disable the installation of Manifest V2 extensions.

Q6. Do I need to upgrade the AM server or USO Client to use the new USO Chrome Extension (Manifest V3)?
You do not need to upgrade the AM server to use the new USO Chrome Extension (Manifest V3).
As for the USO Client, you do not need to upgrade it if you are using USO Client versions 5.6.2.0013-GA-E11 and above.

Q7. Why doesn’t i-Sprint upgrade the current USO Chrome Extension from Manifest V2 to V3? Why does i-Sprint release 2 versions?
There are many existing users using the current Manifest V2 extension. In order to minimize changes and the potential impact of such changes, we decided to release 2 versions. However, once our customers complete the transition from Manifest V2 to V3, i-Sprint will eventually remove the older extension.

Summary

You may have noticed that Apache has released latest patch for Log4j2 i.e. version 2.17.0 to tackle the latest Log4j2 vulnerabilities: https://logging.apache.org/log4j/2.x/security.html

Apache Log4j2 open-source libraries are used in AccessMatrix. Only AccessMatrix versions 5.6.5 to 5.7.1 are affected by the Log4j2 vulnerabilities.

i-Sprint recommends our customers using AccessMatrix AM Server and other AM Web Applications (CLP / OAuthProxy / USO Server / USO SSF / UAS TAP) versions 5.6.5 to 5.7.1 to take note of the following information to mitigate the vulnerabilities.

Vulnerability Information

AccessMatrix versions 5.6.5 to 5.7.1, is bundled with Apache Log4j2 2.11.2 or later. These versions are affected by the recent Apache Log4j2 security vulnerabilities. In the bundled Apache Tomcat deployment, the affected versions are by default bundled with Java 8 or above. Apache has provided patches to address the Log4j2 vulnerabilities issue:

• CVE-2021-44228 – AccessMatrix 5.6.5 to 5.7.1 is affected; Apache has released Log4j2 2.15.0 as permanent mitigation, and AccessMatrix 5.6.5 to 5.7.1 supports direct patching of bundled Log4j2 to this Log4j2 2.15.0.
• CVE-2021-45046 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.16.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.16.0.
• CVE-2021-45105 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.17.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.17.0.

Conclusion:

• For AccessMatrix 5.6.5 to 5.7.1 (and using Java 8 or later), patch directly AccessMatrix bundled Log4j2 to 2.17.0 as direct permanent mitigation to the above-published security vulnerabilities.
• For AccessMatrix 5.6.5 to 5.7.1 (and using Java 7 or earlier), please consult i-Sprint’s global support consultant.
• For AccessMatrix 5.6.4 or earlier, NO action is needed.

Permanent Mitigation

You should first find out the current AccessMatrix version to determine if it is affected by the abovementioned Log4j2 vulnerabilities. To do so, access the AccessMatrix Admin Console and then click on the ‘Help’ -> ‘About’ menu option. You should be able to see the current AM Server version shown on the ‘About AccessMatrix’ dialog box.

Please download the following patched files by clicking on the link:

• Log4j2 v2.17.0

If you are unable to download the patched files from the above link, you may download them from Apache official website at https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip

Once downloaded the patched files, please patch the three JARs as described below:

1. For each AM Server service running in high availability (HA) architecture, you should apply the following to each server in turn.
2. Stop AM Server service.
3. Remove the following three files from am5/WEB-INF/lib (for backing up, you must move the three files to another folder outside of the current am5 web app folder):
   • oss-org-apache-log4j-core-2.12.0.jar or log4j-core-2.12.0.jar
   • oss-org-apache-log4j-api-2.12.0.jar or log4j-api-2.12.0.jar
   • oss-org-apache-log4j-1.2-api-2.12.0.jar or log4j-1.2-api-2.12.0.jar

4. Copy the following three files (from the downloaded patched files) to am5/WEB-INF/lib:
   • oss-org-apache-log4j-core-2.17.0.jar
   • oss-org-apache-log4j-api-2.17.0.jar
   • oss-org-apache-log4j-1.2-api-2.17.0.jar

Note: If you have downloaded the patched files from the Apache official website, you will have to rename the above mentioned three files accordingly.

5. If there are web apps other than ‘am5’, replace the JAR files (refer to steps 3 and 4) in each web app’s /WEB-INF/lib folder.
6. If you have applied the JVM parameter ‘-Dlog4j2.noFormatMsgLookup=true’ in earlier patching activity, you may remove such JVM parameter.
7. Start AM Server service.

If you encountered any issue downloading the patched file or any of the mentioned steps, please contact i-Sprint’s support at support@i-sprint.com