FortiDLP is a cloud-native endpoint DLP and Insider Risk Solution which is aimed at monitoring and Preventing Data Theft on the endpoint, across Windows, macOS and Linux.
This article discusses JAZZ-220: Deleted operator sessions not cleared.
Scope
FortiDLP.
Solution
Release Date:
29th October 2019.
Overview:
Operators deleted by an admin could still access the Jazz Platform if they have an active session at the time of deletion. They could continue to access the Jazz Platform until their session expired.
Affected Products:
Jazz Infrastructure: up to and including 6.0.0.
Jazz Cloud: before 27th September 2019.
Unaffected Products:
Jazz Infrastructure: from 6.1.0.
Jazz Cloud: after 27th September 2019.
Jazz Agents: all versions.
Resolution:
This issue has been fixed in Jazz Infrastructure version 6.1.0.
On-premises installations running an affected version are advised to upgrade at the earliest convenience. Releases are available to download through the Jazz Networks support portal.
A fix was deployed to the Jazz Cloud on 27th September, 2019. Jazz Cloud customers do not need to take any additional action.
Vulnerability Information:
Sessions belonging to an operator were not invalidated if that operator was deleted from the Jazz Platform. The operator could continue to use the Jazz Platform if they had an active session at the time of deletion. This issue is mitigated by the operator logging out of the Jazz Platform, deleting cookies from their browser, or otherwise invalidating their session.
