CVE-2022-22700: CyberArk Identity Release Notes

Release 22.2 (available February 25, 2022) introduces the following changes.

Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

New features

The following new features are available starting in 22.2.

Feature

Description

Workforce Password Management

Inline Password Generator for change password flow

The CyberArk Identity Browser Extension is enhanced to automatically detect if the user is on a websites’ change password screen, autofill in the existing password field and with a click of the icon (displayed in the image below) generate a strong password inline to fill in the New Password and Confirm Password fields. Upon save, the browser extension captures and offers to save the updated password in cloud or self-hosted vault. This feature allows for seamless user experience of changing their business account passwords and avoid any potential password related security vulnerabilities.

Refer to Update passwords with the Password Generator for more information.

Improvements and behavior changes

This release includes the following product improvement.

Improvement

Description

CyberArk Identity mobile apps

Android CyberArk Identity mobile app support changes

The policy setting to Encrypt internal onboard storage (Endpoint policies > Common settings > mobile settings > common > Encrypt internal onboard storage) is removed. CyberArk removed this policy setting because encrypting internal storage is the default behavior starting with Android 5. You cannot enroll Android 4.4.4 and older devices as the policy setting is removed.

Early access features

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature

Description

Initial release version

Authentication

New Authentication Widget Builder

This feature enables you to create a widget and visualize the preview of the widget before using it.

22.1

Progressive migration of passwords using code plugin

This feature enables you to progressively migrate hashed passwords from their legacy stores to CyberArk Identity by providing an inline legacy authentication hook into the CyberArk Identity authentication process.

21.12

User interface

Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the bottom right of the app tile. You can view all other icons on the bottom right of the tile except the New and Error icon.

22.2

Enhanced interface in Applications

This enhancement allows you to customize tabs in Applications based on your requirements. You can perform the following actions in the User Portal:

• Add tabs

• Delete tabs

• Re-order tabs

• Drag and drop apps from one tab to another tab

A new drop-down has been introduced, which allows you to sort all applications.

22.2

Android mobile application

Support for push notifications on the Android mobile app for users in China

This feature enables users who don’t have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity.

Contact your CyberArk account representative to enable this feature if you have users without access to Google services.

Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information.

21.11

Endpoints

Windows and Mac Device Trust

The CyberArk IdentityWindows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies.

The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads.

The CyberArk IdentityMac Device Trust is available for AD-joined devices and non AD-joined devices, and is deployed with Jamf Pro.

Additional enhancements include:

• New functionality (Revoke, Issue, Renew, and Lifetime ) has been added for certificate management for Windows Cloud Agent and Windows Device Trust. This is available in the Admin Portal > Settings > Endpoints, select an endpoint then go to the Certificates tab.

• Integrations in the Admin Portal > Settings > Endpoints has been renamed to Device Trust.

Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information.

Mac - 21.9

Windows - 21.5

New Single Sign-On templates

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

Refer to Recent SSO application templates for a list of recently added templates.

Component versions

Refer to the following table for a list of component versions in the latest release:

Component

Version

CyberArk Identity

22.2.196

Windows Cloud Agent

22.1.289

Windows Device Trust

22.2.196

Mac Cloud Agent

22.2.196

Mac Device Trust

22.2.196

Android CyberArk Identity mobile app

22.2.106

iOS CyberArk Identity mobile app

22.2.105

Windows CyberArk Authenticator

22.2.196

Mac CyberArk Authenticator

22.2.196

Browser Extensions

22.2.3

Connector

22.2.196

Browser support

This version of CyberArk Identity has been tested with the following browsers:

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).

On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.

CyberArk Identity Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

• Microsoft .NET Framework 4.6.2 or later
• Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

Chrome
(latest available at release)

Firefox
(latest available at release)

Edge

Form filling

Yes

Yes

Yes

App capture

Not supported

Yes

Not supported

Land and Catch

Yes

Yes

Yes

App Launch

Yes

Yes

Yes

Device support

If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported

Windows

10, Server 2016, Server 2019

Desktop Experience is required for Windows servers.

macOS

10.13, 10.14, 10.15, 11, 12

iOS

11.x and later

iPadOS

13.x and later

watchOS

5.x and later

Android

8.x and later

Language support

Foreign language support is provided for the following components:

• CyberArk Identity User Portal help – Japanese only
• User Portal text strings.
• Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (–), is equivalent to not setting a language. In this case, the user’s browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

1. Log-in to the Admin Portal.
2. Click Access > Policies > Select the relevant policy.
3. Click User Security Policies > User Account Settings.
4. Select the default language in the Default Language drop-down list.
5. Click Save.

In this release, translations are provided for the following languages:

• Arabic
• Brazilian Portuguese
• Chinese—Simplified and Traditional
• Dutch
• French
• German
• Italian
• Japanese
• Korean
• Portuguese
• Russian
• Serbian
• Spanish
• Swedish
• Thai
• Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

Known issues

Issue

Workaround

General platform

When users click Reload Rights in the CyberArk Identity User Portal, they receive the error You are not authorized to perform this operation. Please contact your IT helpdesk.

Users can ignore this error. It’s an error with the UI; Administrative Rights reload as expected.

The UI issue will be addressed in an upcoming hotfix.

When you create a Role and add members before saving the Role, the members are not saved.

Create and save the Role, then add members to the Role and save it again.

Windows Cloud Agent

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

https://docs.microsoft.com/en-au/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials

Mac Cloud Agent

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

   

2. Click Open on the warning screen that appears.

   After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

None

The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

Self-service account unlock is not currently supported.

None

User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

None

A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

None

Mobile applications

If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message.

None

Users can sign in to the Apple watch only after the first notification is delivered to the watch.

None