Software Maintenance and Support Services
i-Sprint’s Global Software Maintenance and Support Services (“GSS”) defines the scope of maintenance and support services (“Maintenance Services”) agreed between i-Sprint Innovations Pte Ltd or its group of companies (“i-Sprint”) and Customer for i-Sprint’s software product and solution offerings, namely, ‘AccessMatrix’, ‘AccessReal’, and ‘YESsafe’.
The GSS and i-Sprint’s end-user software license agreement (“EULA”) both form an integral part of the applicable agreements between i-Sprint and Customer.
Technical support may no longer be offered for non-shipping versions of any of i-Sprint’s software products. i-Sprint reserves the right to revise the product support policy, at any time, without prior notice.
This page consists of the following tabs
- General Announcement – contains the latest update on product and security related information
- Services & Legal/ Support Documents – contains the service, legal and support documents
Background
The USO Chrome Extension [Chrome Extension ID: cfaiemjbjcbagnibmlflmmfccfdmnb
Recently, on 16 Nov 2023, Google gave the final deadline for this transition:
“We will begin disabling Manifest V2 extensions in pre-stable versions of Chrome (Dev, Canary, and Beta) as early as June 2024, in Chrome 127 and later. Users impacted by the rollout will see Manifest V2 extensions automatically disabled in their browser and will no longer be able to install Manifest V2 extensions from the Chrome Web Store.”
Source: https://developer.
Due to this transition, USO customers are advised to upgrade to USO Chrome Extension (Chrome Manifest V3) [Chrome Extension ID: bfffjeneelooklefkmdigdfpnpfnfe
F.A.Q.
Q1. Can I continue to use the SSO Portal if I do not upgrade?
Our understanding is that if you do not upgrade your Chrome browser version, you can still continue to use the SSO Portal with the current USO Chrome Extension (Manifest V2). However, the Manifest V2 extension will no longer receive new features or bug fixes from i-Sprint.
Q2. What is the difference between USO Chrome Extension Manifest V2 and V3?
New features and bug fixes for the USO Chrome Extension will only be added to the Manifest V3 extension.
Q3. Why can’t i-Sprint provide new features or bug fixes for USO Chrome Extension (Manifest V2)?
To produce the Chrome extension .crx file, i-Sprint would have to upload our compiled source codes to Google for scanning and approval. As Google has stopped accepting uploads using Manifest V2, i-Sprint can no longer provide a new .crx file using Manifest V2.
Q4. Can I still find and install USO Chrome Extension (Manifest V2) in the Chrome web store?
At the time of this notification, it is still available in the Chrome Web Store. However, Google may remove it in the near future (as mentioned in their blog post, which is referenced above in the Background section).
Q5. Can I still install USO Chrome Extension (Manifest V2) using the .crx file provided by i-Sprint?
This depends on the Chrome version used. At the time of this notification, it is still possible to install the Manifest V2 extension using the .crx file provided by i-Sprint. However, in newer versions of Chrome, Google will disable the installation of Manifest V2 extensions.
Q6. Do I need to upgrade the AM server or USO Client to use the new USO Chrome Extension (Manifest V3)?
You do not need to upgrade the AM server to use the new USO Chrome Extension (Manifest V3).
As for the USO Client, you do not need to upgrade it if you are using USO Client versions 5.6.2.0013-GA-E11 and above.
Q7. Why doesn’t i-Sprint upgrade the current USO Chrome Extension from Manifest V2 to V3? Why does i-Sprint release 2 versions?
There are many existing users using the current Manifest V2 extension. In order to minimize changes and the potential impact of such changes, we decided to release 2 versions. However, once our customers complete the transition from Manifest V2 to V3, i-Sprint will eventually remove the older extension.
Summary
You may have noticed that Apache has released latest patch for Log4j2 i.e. version 2.17.0 to tackle the latest Log4j2 vulnerabilities: https://logging.apache.org/log4j/2.x/security.html
Apache Log4j2 open-source libraries are used in AccessMatrix. Only AccessMatrix versions 5.6.5 to 5.7.1 are affected by the Log4j2 vulnerabilities.
i-Sprint recommends our customers using AccessMatrix AM Server and other AM Web Applications (CLP / OAuthProxy / USO Server / USO SSF / UAS TAP) versions 5.6.5 to 5.7.1 to take note of the following information to mitigate the vulnerabilities.
Vulnerability Information
AccessMatrix versions 5.6.5 to 5.7.1, is bundled with Apache Log4j2 2.11.2 or later. These versions are affected by the recent Apache Log4j2 security vulnerabilities. In the bundled Apache Tomcat deployment, the affected versions are by default bundled with Java 8 or above. Apache has provided patches to address the Log4j2 vulnerabilities issue:
- CVE-2021-44228 – AccessMatrix 5.6.5 to 5.7.1 is affected; Apache has released Log4j2 2.15.0 as permanent mitigation, and AccessMatrix 5.6.5 to 5.7.1 supports direct patching of bundled Log4j2 to this Log4j2 2.15.0.
- CVE-2021-45046 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.16.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.16.0.
- CVE-2021-45105 – AccessMatrix 5.x is NOT affected by default; AccessMatrix version 5.x logging configuration does not include Context Lookups (like ${ctx:loginId} or $${ctx:loginId}) (note: you may see the content of am5/WEB-INF/classes/amlog4j2.properties for verification); Apache has released Log4j2 2.17.0 as a permanent mitigation and AccessMatrix 5.x supports direct patching of bundled Log4j2 to this Log4j2 2.17.0.
Conclusion:
- For AccessMatrix 5.6.5 to 5.7.1 (and using Java 8 or later), patch directly AccessMatrix bundled Log4j2 to 2.17.0 as direct permanent mitigation to the above-published security vulnerabilities.
- For AccessMatrix 5.6.5 to 5.7.1 (and using Java 7 or earlier), please consult i-Sprint’s global support consultant.
- For AccessMatrix 5.6.4 or earlier, NO action is needed.
Permanent Mitigation
You should first find out the current AccessMatrix version to determine if it is affected by the abovementioned Log4j2 vulnerabilities. To do so, access the AccessMatrix Admin Console and then click on the ‘Help’ -> ‘About’ menu option. You should be able to see the current AM Server version shown on the ‘About AccessMatrix’ dialog box.
Please download the following patched files by clicking on the link:
If you are unable to download the patched files from the above link, you may download them from Apache official website at https://www.apache.org/dyn/closer.lua/logging/log4j/2.17.0/apache-log4j-2.17.0-bin.zip
Once downloaded the patched files, please patch the three JARs as described below:
- For each AM Server service running in high availability (HA) architecture, you should apply the following to each server in turn.
- Stop AM Server service.
- Remove the following three files from am5/WEB-INF/lib (for backing up, you must move the three files to another folder outside of the current am5 web app folder):
- oss-org-apache-log4j-core-2.12.0.jar or log4j-core-2.12.0.jar
- oss-org-apache-log4j-api-2.12.0.jar or log4j-api-2.12.0.jar
- oss-org-apache-log4j-1.2-api-2.12.0.jar or log4j-1.2-api-2.12.0.jar
- Copy the following three files (from the downloaded patched files) to am5/WEB-INF/lib:
- oss-org-apache-log4j-core-2.17.0.jar
- oss-org-apache-log4j-api-2.17.0.jar
- oss-org-apache-log4j-1.2-api-2.17.0.jar
Note: If you have downloaded the patched files from the Apache official website, you will have to rename the above mentioned three files accordingly.
- If there are web apps other than ‘am5’, replace the JAR files (refer to steps 3 and 4) in each web app’s /WEB-INF/lib folder.
- If you have applied the JVM parameter ‘-Dlog4j2.noFormatMsgLookup=true’ in earlier patching activity, you may remove such JVM parameter.
- Start AM Server service.
If you encountered any issue downloading the patched file or any of the mentioned steps, please contact i-Sprint’s support at support@i-sprint.com
- i-Sprint’s Global Software Maintenance and Support Services (GSS)
- i-Sprint’s Software End-User License Agreement (EULA)
- AccessMatrix Server Licence Request Form :PDF/WORD
- AccessReal Licence/UAID Request Form :PDF/WORD
Disclaimer
Website Contents
The information contained on this website, including without limitation, “Product Release & Support” and any reference data (“Contents”), should not be interpreted as legally binding commitments, but rather as flexible information subject to change from time to time. The Contents are for information purposes only. I-SPRINT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, BY POSTING THE CONTENTS ON THIS WEBSITE.
Addition, Modification, and Deletion
i-Sprint may add, modify or delete any of the information on this website from time to time without providing any notice. Please check out i-Sprint online information periodically to keep informed of any updates.
The information on this page is subject to the Disclaimer.