Skip to main content
All CollectionsAnnouncementsAnnouncements and archiveArchive
Hotfix - Post Mortem short update - 3.62.1 & 3.63.1
Hotfix - Post Mortem short update - 3.62.1 & 3.63.1
Updated over a week ago

Do note: this article is only available to Hosted & Self-Hosted partners.

We want to give a short update on the Hotfix on 11-7-2023. A more detailed Post Mortem with appropriate measures and chronological summary will follow.

An authorised environment user could perform some actions intended only for authorised environment administrators if the action endpoint URL's were known.

So an attacker needed authorized access to the victim's Workspace 365 environment to make use of this.

We've rolled out a hotfix in 3.62.1 and 3.63.1 which patches this misconfiguration. For Hosted partners, this has already been deployed on 11-07-2023 22:00 CET.
For Self-Hosted partners, we still strongly advise to deploy this hotfix if you have not already done so.

To be clear, we have not found any signs that this misconfiguration actually has been abused, and we keep monitoring this.

As precaution we recommend you to re-generate the Azure AD sync API key or SCIM API key in the environment if you have enabled this functionality. Ensure to update the API key in the synctool or SCIM configuration as well.

Instructions to re-generate key

When you re-generate the key, there is no connection (i.e. no sync) between your AAD and Workspace. However, all users will remain in the workspace and will still be able to log in during this period.

SCIM

  1. Go to the Workspace admin settings page

  2. Go to Users & Groups

  3. Select the User Provisioning page

  4. Check if “Automated user provisioning using SCIM” is selected

  5. Re-generate the key and note this down (tip: store this key somewhere safe)

  6. Go to Azure AD

  7. Go to the support article Azure SCIM client setup and read step 2.12

  8. In Azure AD, replace the Access Token with the key you generated in step 5

  9. Save your configuration

AAD synctool

  1. Go to the Workspace admin settings page

  2. Go to Users & Groups

  3. Select the User Provisioning page

  4. Check if “Azure Active Directory (AD) sync” is selected

  5. Re-generate the key and note this down (tip: store this key somewhere safe)

  6. Replace the API Authentication token with the key you generated from step 5

  7. Save your configuration

Did this answer your question?