Bug Fixes

• KCM-418: SSH connections to RHEL machines in FIPS mode fail

• KCM-423: Session recording playback throws errors based on specific content

• KCM-420: RBI autofill domain name maching fails for single-word domains (e.g. http://ldapadmin)

• KCM-424: PostgreSQL sessions crash when typing "\c" command

Improvements

• KCM-422: Update to the latest Keeper Secrets Manager SDK for compatibility with new record types.

New Features

• KCM-164: Remote Browser Isolation Protocol See documentation here

• KCM-345: Enforcement of KCM license keys

Important License Changes

As part of the upgrade to KCM 2.19, customers will now be required to obtain a license key from Keeper in order to continue the use of Keeper Connection Manager (KCM). Without a valid license key, users and admins will be unable to use KCM after the update is applied.

This is a new process and the appropriate steps to maintain access to KCM are outlined below.

To obtain a license key, please contact Keeper Support directly at: https://www.keepersecurity.com/support.html

Upon request, Keeper will generate and send a copy of your license key.

To configure KCM with your license key, follow the steps below:

This latest release updates to Keeper's latest GPG signing key (relevant only to RPM-based installs), updates to the latest compatible versions of all dependencies, and addresses the following issues.

Bug Fixes

• KCM-332: Incorrect timeout behavior while RDP connections are waiting for the user to enter their credentials.

• KCM-309: Confusing prompt wording in kcm-setup.run regarding the customer's KCM server's domain, which is not necessarily a public-facing FQDN under all circumstances.

• KCM-339: Incorrect handling of the (attribute) suffix when importing connections from CSV.

• KCM-341: An "Unable to create injector" error that prevents the "Encrypted JSON Authentication" extension from loading, regardless of how it has been configured.

Bug Fixes

• KCM-328: Eliminated an issue present in release 2.18.0 and 2.18.1 that placed an artificial limit on large-scale, repeated connection creation necessitating guacd service restart

Security Updates

• Base version of Apache Guacamole updated to 1.5.2 from 1.3.0

  • KCM has been using Apache Guacamole 1.3.0 as its basis for some time now, backporting changes from upstream over time. With the latest upstream release being 1.5.2, we should bring our packages up-to-date with that release and remove any patches that are no longer necessary.

  • The upstream Apache Guacamole 1.5.2 release contains changes that address issues with security implications. The issues in question:

    • CVE-2023-30575: Apache Guacamole: Incorrect calculation of Guacamole protocol element lengths

    • CVE-2023-30576: Apache Guacamole: Use-after-free in handling of RDP audio input buffer

  • With this base version update, there are no implications for compatibility. Extensions that worked with previous versions of KCM should continue to work identically.

• Dependency updates

  • The various C, Java, and JavaScript dependencies used by KCM are brought up-to-date with their latest available and compatible versions.

New Features

• apply command for kcm-setup.run

  • The kcm-setup.run installation script now provides an apply command to more easily allow administrators to apply changes made to docker-compose.yml: ./kcm-setup.run apply

    • Unlike upgrade, the apply command strictly applies changes made externally to docker-compose.yml and does not pull new images.

    • The installation script has also been updated to use depends_on within declared services to ensure that stop need not be run before upgrade or apply are used. Administrators can simply run the command and rely on the script and Docker Compose to automatically stop/start services as needed.

Bug Fixes

• Resolved Issue where Batch import does not support some unicode characters