USAS-R v8.46.1 Release Notes
- Marc Davis
- Jodi Becher
Date | May 10, 2022Â |
|---|---|
Issues | Getting issues... |
Build Date | May 9, 2022 10:52:28 |
Summary
This release of USAS-R contains a patch as detailed in the release notes below.  Please keep in mind these release notes only reflect the changes included in this release. There are many other features of the software that were previously released that will not be reflected in these release notes. General information about all of the features available in USAS-R can be found in our USAS-R Documentation. There is a section in the documentation that also details the significant changes between USAS-R and Classic USAS.Â
Important Highlights
Bug Fix
Prevent password from being audited in the Password Change event
A bug was discovered in the 8.46.0 release of USAS-R that could allow the writing of a local user's password to a database table as plaintext. This could only happen if the user's password was reset, either by the admin user or from the change password option on the home page, and the password change happened between the release of 8.46.0 (5/6/2022) and 8.46.1 (5/10/2022). The password could be included in an Auditable Events template report that is only accessible by users with the ADMIN_AUDITEVENTS permissions. By default, this includes the Admin user and anyone with the SYSMAN_USER role in USAS-R.Â
The hotfix will remove any of the possible stored passwords from the Auditable Events table and also prevent the password property from being audited in the future.Â
To see if any users have changed their passwords since USAS-R 8.46.0, run the SSDT Auditable Events report with the start date of 5/6/2022 and end date of 5/10/2022. Once the report generates look for User Password Change Event and Admin Password Change Event. It is recommended that any user you find here should have its password reset.Â