<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[Okta Trust]]></title><description><![CDATA[Okta Trust]]></description><link>https://trust.okta.com</link><generator>GatsbyJS</generator><lastBuildDate>Thu, 21 Nov 2024 18:56:50 GMT</lastBuildDate><item><title><![CDATA[Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory]]></title><description><![CDATA[A vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth.]]></description><link>https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username</guid><pubDate>Fri, 01 Nov 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Verify Desktop MFA for Windows Passwordless Login CVE-2024-9191]]></title><description><![CDATA[A vulnerability was identified in Okta Verify for Windows, allowing retrieval of passwords associated with Desktop MFA passwordless logins in a compromised device.]]></description><link>https://trust.okta.com/security-advisories/okta-verify-desktop-mfa-for-windows-passwordless-login-cve-2024-9191</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-verify-desktop-mfa-for-windows-passwordless-login-cve-2024-9191</guid><pubDate>Fri, 01 Nov 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Verify for iOS ContextExtension CVE-2024-10327]]></title><description><![CDATA[A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature to bypass proper authentication validation. ]]></description><link>https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-verify-for-ios-cve-2024-10327</guid><pubDate>Thu, 24 Oct 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Classic Application Sign-On Policy Bypass]]></title><description><![CDATA[A vulnerability was identified in specific Okta configurations whereby ​​an attacker with valid credentials could bypass configured conditions within application-specific sign-on policies.]]></description><link>https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024</guid><pubDate>Fri, 04 Oct 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Verify for Windows Privilege Escalation CVE-2024-7061]]></title><description><![CDATA[Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking.]]></description><link>https://trust.okta.com/security-advisories/okta-verify-for-windows-privilege-escalation-cve-2024-7061</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-verify-for-windows-privilege-escalation-cve-2024-7061</guid><pubDate>Wed, 07 Aug 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Browser Plugin Reflected Cross-Site Scripting CVE-2024-0981]]></title><description><![CDATA[Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting.]]></description><link>https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981</guid><pubDate>Mon, 22 Jul 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Verify for Windows Auto-update Arbitrary Code Execution CVE-2024-0980]]></title><description><![CDATA[The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code.]]></description><link>https://trust.okta.com/security-advisories/okta-verify-windows-auto-update-arbitrary-code-execution-cve-2024-0980</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-verify-windows-auto-update-arbitrary-code-execution-cve-2024-0980</guid><pubDate>Tue, 26 Mar 2024 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta LDAP Agent CVE-2023-0392]]></title><description><![CDATA[The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. ]]></description><link>https://trust.okta.com/security-advisories/okta-ldap-agent-cve-2023-0392</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-ldap-agent-cve-2023-0392</guid><pubDate>Tue, 19 Sep 2023 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Advanced Server Access Client CVE-2023-0093]]></title><description><![CDATA[Okta Advanced Server Access Client versions 1.13.1 through 1.68.1 are vulnerable to command injection due to the third-party library webbrowser.]]></description><link>https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2023-0093</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2023-0093</guid><pubDate>Wed, 22 Feb 2023 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Access Gateway Advisory for CVE-2022-3602 and CVE-2022-3786]]></title><description><![CDATA[On November 1, 2022 the OpenSSL organization disclosed two high-severity vulnerabilities in version 3.0 and above which are patched in OpenSSL 3.0.7.  Okta has investigated the usage of the vulnerabilities and will continue to assess the potential impact to our dependencies and third parties. Okta Access Gateway has been found to use the OpenSSL 3.0 codebase since the release of 2022.10.0.  Customers that have not yet updated to 2022.10.0 should refrain from updating to 2022.10.0 which contains OpenSSL 3.0 until an updated version is available. Okta Access Gateway customers who have updated to 2022.10.0 will be provided an updated version 2022.11.0 as soon as possible. Currently estimated to be available on 11/04/2022.]]></description><link>https://trust.okta.com/security-advisories/okta-access-gateway-advisory-cve-2022-3602-and-cve-2022-3786</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-access-gateway-advisory-cve-2022-3602-and-cve-2022-3786</guid><pubDate>Tue, 01 Nov 2022 19:47:00 GMT</pubDate></item><item><title><![CDATA[Okta Active Directory Agent CVE-2022-1697]]></title><description><![CDATA[Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed the Okta AD Agent Update Service using an unquoted path.]]></description><link>https://trust.okta.com/security-advisories/okta-active-directory-agent-cve-2022-1697</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-active-directory-agent-cve-2022-1697</guid><pubDate>Thu, 01 Sep 2022 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Advanced Server Access Client CVE-2022-1030]]></title><description><![CDATA[Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has access, can execute commands on the local system.]]></description><link>https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-1030</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-1030</guid><pubDate>Mon, 21 Mar 2022 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Advanced Server Access Client CVE-2022-24295]]></title><description><![CDATA[Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.]]></description><link>https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-24295</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-24295</guid><pubDate>Thu, 17 Feb 2022 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta RADIUS Server Agent CVE-2021-45105]]></title><description><![CDATA[Apache Log4j2 2.16.0, as used in Okta RADIUS Server Agent 2.17.1 and lower, did not protect from uncontrolled recursion from self-referential lookups. While Okta found no evidence that this agent was impacted, due to the lack of preconditions that must exist for this vulnerability to be exploitable, we have released an updated version of the agent. The new version includes Log4j 2.17.0, which fixes this issue.]]></description><link>https://trust.okta.com/security-advisories/okta-radius-server-agent-cve-2021-45105</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-radius-server-agent-cve-2021-45105</guid><pubDate>Wed, 26 Jan 2022 22:53:00 GMT</pubDate></item><item><title><![CDATA[Okta On-Prem MFA Agent CVE-2021-45046]]></title><description><![CDATA[Apache Log4j2 2.15.0, as used in Okta On-Prem MFA Agent 1.4.6 (formerly Okta RSA SecurID Agent), contained an incomplete fix for CVE-2021-44228, which could allow attackers under certain conditions to craft malicious input data, resulting in a denial of service (DOS) attack. The new version includes Log4j 2.16.0 which fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.]]></description><link>https://trust.okta.com/security-advisories/okta-prem-mfa-agent-cve-2021-45046</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-prem-mfa-agent-cve-2021-45046</guid><pubDate>Wed, 26 Jan 2022 22:52:00 GMT</pubDate></item><item><title><![CDATA[Okta RADIUS Server Agent CVE-2021-45046]]></title><description><![CDATA[Apache Log4j2 2.15.0, as used in Okta RADIUS Server Agent 2.17.0, contained an incomplete fix for CVE-2021-44228, which could allow attackers under certain conditions to craft malicious input data, resulting in a denial of service (DOS) attack. The new version includes Log4j 2.16.0 which fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.]]></description><link>https://trust.okta.com/security-advisories/okta-radius-server-agent-cve-2021-45046</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-radius-server-agent-cve-2021-45046</guid><pubDate>Wed, 26 Jan 2022 22:51:00 GMT</pubDate></item><item><title><![CDATA[Okta On-Prem MFA Agent CVE-2021-44228]]></title><description><![CDATA[Apache Log4j2 <=2.14.1, as used in Okta On-Prem MFA Agent (formerly Okta RSA SecurID Agent) prior to 1.4.6, does not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers. ]]></description><link>https://trust.okta.com/security-advisories/okta-prem-mfa-agent-cve-2021-44228</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-prem-mfa-agent-cve-2021-44228</guid><pubDate>Wed, 26 Jan 2022 22:50:00 GMT</pubDate></item><item><title><![CDATA[Okta RADIUS Server Agent CVE-2021-44228]]></title><description><![CDATA[Apache Log4j2 <=2.14.1, as used in Okta RADIUS Server Agent prior to 2.17.0, does not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers. ]]></description><link>https://trust.okta.com/security-advisories/okta-radius-server-agent-cve-2021-44228</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-radius-server-agent-cve-2021-44228</guid><pubDate>Wed, 26 Jan 2022 22:48:00 GMT</pubDate></item><item><title><![CDATA[Okta On-Prem MFA Agent CVE-2021-45105]]></title><description><![CDATA[Apache Log4j2 2.16.0, as used in Okta On-Prem MFA Agent 1.4.7 and lower (formerly Okta RSA SecurID Agent), did not protect from uncontrolled recursion from self-referential lookups. While Okta found no evidence that this agent was impacted, due to the lack of preconditions that must exist for this vulnerability to be exploitable, we have released an updated version of the agent. The new version includes Log4j 2.17.0, which fixes this issue.]]></description><link>https://trust.okta.com/security-advisories/okta-prem-mfa-agent-cve-2021-45105</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-prem-mfa-agent-cve-2021-45105</guid><pubDate>Wed, 26 Jan 2022 00:00:00 GMT</pubDate></item><item><title><![CDATA[Okta Access Gateway CVE-2021-28113]]></title><description><![CDATA[A command injection vulnerability in the cookieDomain and relayDomain parameters of Okta Access Gateway in version 2020.8.4 and earlier allows attackers with admin access to the Okta Access Gateway UI to execute OS commands as a privileged system account. ]]></description><link>https://trust.okta.com/security-advisories/okta-access-gateway-cve-2021-28113</link><guid isPermaLink="false">https://trust.okta.com/security-advisories/okta-access-gateway-cve-2021-28113</guid><pubDate>Fri, 02 Apr 2021 00:00:00 GMT</pubDate></item></channel></rss>