What's New in ActivID Appliance v8.7 with Hot Fix FIXS2412001

This version provides the following improvements with respect to the previous version:

Added support for the Thales Luna Network HSM as an external HSM

For details, see Integrating an Thales® Luna Network HSM.

For optimal performance, it is recommended using the latest Thales Luna HSM firmware version available (the minimum supported version is v7.8.7), which is compatible with the Thales Luna HSM Client 10.7.2 embedded within ActivID Appliance 8.7.

Added metrics for CPU usage in the SNMP monitoring data

For details, see Configure SNMP Monitoring.

Software update improvements

Subsequent software updates are prevented if the ActivID Appliance must be rebooted first.

Restart of the ActivID Appliance is forced if explicitly requested by a Hot Fix or Service Pack.

Security updates:

  • Operating system updates

  • Oracle database updates

  • Oracle WebLogic updates

  • Oracle JDK updates

  • Other third-party updates

For details of the updates and fixes, refer to the release notes provided in the hot fix package.

The ActivID Appliance8.7 is a security release providing an installation from scratch using an OVA file delivery.

This OVA can be deployed on VMware® ESXi® 8.0 Update 2 and later.

Environment refresh:

  • Operating system updated to Oracle® Linux 8.10

  • Oracle Grid Infrastructure updated to version 19c

  • Oracle Database updated to version 19c

  • Oracle Golden Gate updated to version 19c

  • Oracle WebLogic® Server updated to version 14c

  • Oracle Java Development Kit (JDK) updated to version 11

ActivID RADIUS Front-End:

To avoid potential attacks due to the CVE-2024-3596 (Blast RADIUS) vulnerability, the ActivID RADIUS Front-End now checks for the presence of the Message-Authenticator attribute in the authentication requests and verifies its value.

If the attribute is not present, or the value is invalid, the response is not returned.

In addition, the ActivID RADIUS Front-End also adds the Message-Authenticator attribute to the response.

Note: For compatibility with insecure clients that do not add the Message-Authenticator attribute, you can deactivate the requirement using the require_message_authenticator setting (see Configure ActivID RADIUS Front End Settings).

However, it is not possible to disable the Message-Authenticator attribute added to the response.

Encryption:

  • ActivID Appliance no longer supports the ssh-rsa algorithm for public keys as it is considered weak