Software Maintenance and Support Services
i-Sprint’s Global Software Maintenance and Support Services (“GSS”) defines the scope of maintenance and support services (“Maintenance Services”) agreed between i-Sprint Innovations Pte Ltd or its group of companies (“i-Sprint”) and Customer for i-Sprint’s software product and solution offerings, namely, ‘AccessMatrix’, ‘AccessReal’, and ‘YESsafe’.
The GSS and i-Sprint’s end-user software license agreement (“EULA”) both form an integral part of the applicable agreements between i-Sprint and Customer.
Technical support may no longer be offered for non-shipping versions of any of i-Sprint’s software products. i-Sprint reserves the right to revise the product support policy, at any time, without prior notice.
This page consists of the following tabs
- General Announcement – contains the latest update on product and security related information
- Services & Legal/ Support Documents – contains the service, legal and support documents
Background
Before the release of UCM 6.0.3, users were required to install the USO Chrome Extension in their Chromium-based browsers to use the single sign-on feature from UCM Web Access.
Currently, UCM customers are using USO Chrome Extension (Manifest V2).
* For users who have installed USO Chrome Extension (Manifest V2) in their browsers, please note that Google has announced that it will gradually disable Manifest V2 extensions moving forward.
In light of the above, the UCM Client needs to be upgraded to prevent reliance on USO Chrome Extension (Manifest V2). All required functionalities will still be available using the UCM Chrome Extension (Manifest V3). Users are thus advised to upgrade accordingly.
UCM Chrome Extension (Manifest V3) Features:
- Allows interaction with UCM Client when using UCM Web Access from a Chromium-based Browser.
- Allows single sign-on from a Chromium-based Browser Launcher.
Solution
Since UCM 6.0.3, the USO Chrome Extension will no longer be used for UCM. To simplify the deployment on the client side, only the UCM Chrome Extension (Manifest V3) will be used.
Execution Versions:
- UCM 6.0.5.0520-GA
- UCM 6.0.4.0416-GA-E03
- UCM 6.0.3.0319-GA-E12
Suggested Upgrades for Existing Users:
- For those using UCM 6.0.4, please upgrade to either UCM 6.0.4.0416-GA-E03 or the latest UCM version.
- For those using UCM 6.0.3, please upgrade to either UCM 6.0.3.0319-GA-E12 or the latest UCM version.
- For those using UCM 5.6.2, please upgrade to either UCM 5.6.2.6209-GA-E17-U04 or the latest UCM version.
- For those using UCM 5.6.4, please upgrade to either UCM 5.6.4.6406-GA-U02 or the latest UCM version.
- For those using UCM 5.6.8, please upgrade to either UCM 5.6.8.6807-GA-E16-U33 or the latest UCM version.
Note: If you are using a version of UCM 5.6.X (excluding versions 5.6.2, 5.6.4, and 5.6.8, which are available with upgradable patch packages), only USO Chrome Extension Manifest V2 is supported.
F.A.Q.
Q1. How do I install the UCM Chrome Extension for Chromium-based browsers?
The instructions for the installation are as follows:
- Visit the Google Chrome Web Store. (URL:https://chrome.google.com/webstore)
- Search for “UCM Chrome Extension” and click “Add to Chrome”.
Q2. How do I configure the Chromium-based Browser Launcher?
The configuration steps are as follows:
Log in to the UCM Console, create the Chromium-based Browser Launcher, and fill in the required fields:
- Fill in the “*Server Hostname or IP Address” field with the IP address of the target resource.
- Fill in the “*Launch URL” field with the Launch URL of the target resource, e.g. “/login.php”.
- Fill in the relevant “*Javascript code” fields. You may refer to the sample code “*Javascript code to login” as an example.
v1=this.document.getElementById(“user_login”);v1.value=userid;
v2=this.document.getElementById(“user_pass”);v2.value=oldpwd;
v3=this.document.getElementById(“submit”);v3.click();
Where “userid” and “oldpwd” should be changed to the “User Id” and “Password” of the corresponding credential.
Notes: To use this launcher, please ensure that the UCM Connector Gateway has been installed on the server side.
The corresponding connector type for this launcher is Web Portal Connector with Chrome.
Q3. What are the implications if I do not plan on updating UCM?
As the USO Chrome Extension is reliant on Manifest V2, its support will be dependent on the date when Google disables the Manifest V2 extensions. Subsequently, the UCM Client will encounter an “offline” issue when the UCM customer attempts to log in to UCM Web Access.
Solution:
You should check if the UCM version that you are currently using has an available patch package. If there is a patch package available, you can proceed to upgrade using that patch. If there is no corresponding patch package available for your current UCM version, you will need to upgrade to the UCM version specified in the “Execution Versions” section.
Summary
You may have noticed that Apache has released latest patch for Log4j2 i.e. version 2.17.0 to tackle the latest Log4j2 vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
Apache Log4j2 open-source libraries are used in AccessMatrix. Only AccessMatrix versions 5.6.5 to 5.7.1 are affected by the Log4j2 vulnerabilities.
i-Sprint recommends our customers using AccessMatrix AM Server and other AM Web Applications (CLP / OAuthProxy / USO Server / USO SSF / UAS TAP) versions 5.6.5 to 5.7.1 to take note of the following information to mitigate the vulnerabilities.
Vulnerability Information
AccessMatrix versions 5.6.5 to 5.7.1, is bundled with Apache Log4j2 2.11.2 or later. These versions are affected by the recent Apache Log4j2 security vulnerabilities. In the bundled Apache Tomcat deployment, the affected versions are by default bundled with Java 8 or above. Apache has provided patches to address the Log4j2 vulnerabilities issue:
- CVE-2021-44228 – AccessMatrix 5.6.5 to 5.7.1 is affected; Apache has released Log4j2 2.15.0 as permanent mitigation, and AccessMatrix 5.6.5 to 5.7.1 supports direct patching of bundled Log4j2 to this Log4j2 2.15.0.
- CVE-2021-45046 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.16.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.16.0.
- CVE-2021-45105 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.17.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.17.0.
Conclusion:
- For AccessMatrix 5.6.5 to 5.7.1 (and using Java 8 or later), patch directly AccessMatrix bundled Log4j2 to 2.17.0 as direct permanent mitigation to the above-published security vulnerabilities.
- For AccessMatrix 5.6.5 to 5.7.1 (and using Java 7 or earlier), please consult i-Sprint’s global support consultant.
- For AccessMatrix 5.6.4 or earlier, NO action is needed.
Permanent Mitigation
You should first find out the current AccessMatrix version to determine if it is affected by the abovementioned Log4j2 vulnerabilities. To do so, access the AccessMatrix Admin Console and then click on the ‘Help’ -> ‘About’ menu option. You should be able to see the current AM Server version shown on the ‘About AccessMatrix’ dialog box.
Please download the following patched files by clicking on the link:
If you are unable to download the patched files from the above link, you may download them from Apache official website at https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip
Once downloaded the patched files, please patch the three JARs as described below:
- For each AM Server service running in high availability (HA) architecture, you should apply the following to each server in turn.
- Stop AM Server service.
- Remove the following three files from am5/WEB-INF/lib (for backing up, you must move the three files to another folder outside of the current am5 web app folder):
- oss-org-apache-log4j-core-2.12.0.jar or log4j-core-2.12.0.jar
- oss-org-apache-log4j-api-2.12.0.jar or log4j-api-2.12.0.jar
- oss-org-apache-log4j-1.2-api-2.12.0.jar or log4j-1.2-api-2.12.0.jar
- Copy the following three files (from the downloaded patched files) to am5/WEB-INF/lib:
- oss-org-apache-log4j-core-2.17.0.jar
- oss-org-apache-log4j-api-2.17.0.jar
- oss-org-apache-log4j-1.2-api-2.17.0.jar
Note: If you have downloaded the patched files from the Apache official website, you will have to rename the above mentioned three files accordingly.
- If there are web apps other than ‘am5’, replace the JAR files (refer to steps 3 and 4) in each web app’s /WEB-INF/lib folder.
- If you have applied the JVM parameter ‘-Dlog4j2.noFormatMsgLookup=true’ in earlier patching activity, you may remove such JVM parameter.
- Start AM Server service.
If you encountered any issue downloading the patched file or any of the mentioned steps, please contact i-Sprint’s support at support@i-sprint.com
- i-Sprint’s Global Software Maintenance and Support Services (GSS)
- i-Sprint’s Software End-User License Agreement (EULA)
- AccessMatrix Server Licence Request Form :PDF/WORD
- AccessReal Licence/UAID Request Form :PDF/WORD
Disclaimer
Website Contents
The information contained on this website, including without limitation, “Product Release & Support” and any reference data (“Contents”), should not be interpreted as legally binding commitments, but rather as flexible information subject to change from time to time. The Contents are for information purposes only. I-SPRINT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, BY POSTING THE CONTENTS ON THIS WEBSITE.
Addition, Modification, and Deletion
i-Sprint may add, modify or delete any of the information on this website from time to time without providing any notice. Please check out i-Sprint online information periodically to keep informed of any updates.
The information on this page is subject to the Disclaimer.
Last modified:18/Jan/2023