Affected products and versions:

Vault Self-Hosted – All versions

* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.

** Relates only to versions that are within their development life cycle. Please refer to our End of Life policy for details.

Resolution

Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.

Installed Version:

Vault 14.6 and its patches prior to 14.6.2 – Patch version 14.6.2 – https://www.cyberark.com/CA25-33-VaultSH-14.6.2  – docs

Vault 14.2 and its patches prior to 14.2.4 – Patch version 14.2.4 – https://www.cyberark.com/CA25-33-VaultSH-14.2.4 – docs

Vault 14.0 and its patches prior to 14.0.5 – Patch version 14.0.5 – https://www.cyberark.com/CA25-33-VaultSH-14.0.5 – docs

CyberArk recommends enforcing strong password complexity requirements for all system accounts, including both human and non-human users. For detailed settings, please refer to the passparm.ini configuration file.

PAM on Cloud customers: CyberArk will not release AWS AMIs and Azure VM Images. Customers should run the upgrade process on the provided images following deployment.

Temporary mitigation

There is no temporary mitigation available for this security bulletin.

Exploited in the wild in a CyberArk environment

Not to the best of CyberArk’s knowledge.

Technical FAQ

Do I need to upgrade my Disaster Recovery Vault, PAReplicate, and EVD as well?

Disaster Recovery Vault and EVD versions (and patch version) need to be aligned with the Vault’s patch version.

PAReplicate should be the same minor version as the Vault (for example, PAReplicate 14.2 is compatible with Vault 14.2.2).

As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.

Affected products and versions:

Central Credential Provider (CCP) – Versions 14.0 and 14.2 – Versions prior to 14.0 are not affected

* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.

** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.

Resolution

Upgrade to a patch version from the following table by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility documentation.

Installed Version: 

14.0, 14.2, and their patches prior to 14.2.4 – Patch Version 14.2.4 – https://www.cyberark.com/CA25-32-CCP-14.2.4 – Upgrade the Central Credential Provider(CCP) Note: Ensure that you upgrade the CCP’s Credential Provider (CP).

Temporary mitigation

There is no temporary mitigation available for this security bulletin.

Exploited in the wild in a CyberArk environment

Not to the best of CyberArk’s knowledge.

Technical FAQ

Are Credential Provider (CP) and Application Server Credential Provider (ASCP) also affected by this issue?

Yes. Credential Provider versions 14.0 and 14.2, including all patches prior to version 14.2.4, are affected by this issue. However, due to the limited attack vector, it is scored as medium severity and does not merit a bulletin announcement. The Application Server Credential Provider relies on the Credential Provider and is therefore also impacted by this issue (at medium severity).

A fix is available in Credential Provider version 14.2.4: https://www.cyberark.com/CA25-32- CP-14.2.4.

As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click Follow to receive notifications when new questions and answers are published.

Affected products and versions:

Secrets Manager – Self-Hosted (formerly Conjur Enterprise) – 13.5.0 – 13.5.2- 13.6.0 – 13.6.2

* This Security Bulletin applies only to the listed affected products. If this issue also affects another CyberArk product, it will be addressed separately in accordance with CyberArk’s Product Vulnerability Management Policy.

** Relates only to versions that are within their development life cycle. Refer to our End of Life policy for details.

Resolution

Upgrade to a patch version from the table below by downloading the patch from the respective link and following the instructions in our online documentation.

If a patch isn’t available for your installed version, or if you want to move to the latest available version, upgrade your component according to the upgrade version compatibility docs.

Installed version: 

Secrets Manager – Self-Hosted (Conjur Enterprise) prior to 13.6.3 – Patch version 13.6.3 – Documentation

Secrets Manager – Self-Hosted (Conjur Enterprise) 13.5 and its patches prior to 13.5.3 – Patch version 13.5.3 – Documentation

Temporary mitigation

There is no temporary mitigation available for this security bulletin.

Exploited in the wild in a CyberArk environment

Not to the best of CyberArk’s knowledge.

Technical FAQ

Are there any pre-upgrading steps that should be carried out before upgrading?

1. Backup your current environment.
2. Verify the minimum requirements for Conjur Enterprise and Vault Synchronizer.
3. Review the deployment workflow to ensure the usage of the relevant commands needed.

As CyberArk receives questions related to this Security Bulletin, answers will be added to the Technical FAQ article. To stay informed of updates, open the FAQ article and click the Follow button to receive notifications when new questions and answers are published.