Okta Releases Security Updates for Advanced Server Client for Windows

Security update addresses a remote code execution vulnerability

Threat ID:: CC-4043
Threat Severity:: Information only
Published:: 24 February 2022 11:32 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses a remote code execution vulnerability

Affected platforms

The following platforms are known to be affected:

Versions: Client for Windows - all prior to 1.57.0

Okta Advanced Server Access

Threat details

Introduction

Okta has released a security update to address a remote code execution (RCE) vulnerability. A remote, unauthenticated attacker could exploit this command injection vulnerability by sending a specially crafted URL and take control of an affected system.

Updated information about Okta's Log4Shell response

In addition to the main vulnerability mentioned in this cyber alert, please note that Okta has updated its response to Log4Shell vulnerabilities, CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. Further information can be found on Okta Security Advisories page and the blog post Okta’s response to CVE-2021-44228 (“Log4Shell”).

NHS and social care organisations are invited visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989 and to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected products.

Remediation advice

Affected organisations should read Okta's security advisory and update to Advanced Server Access Client for Windows version 1.57.0.

Definitive source of threat updates

https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-24295

CVE Vulnerabilities

Status Published

CVE-2022-24295

Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.

Last edited: 25 February 2022 3:01 pm