An account is configured with a PVP Change Password On Connection End. The account was attempted to be used multiple times for access to a Linux server in one day, but connection attempts failed after the second connection. The password history in PAM shows only one update. The history on the target server shows that the password was changed twice on that day.

PAM releases up to 4.1.7 and 4.2.0

PAM ran into an internal error after changing the password on the target device while trying to add a new password history entry. Because of the error, the update was regarded a failure and the old password was retained in the target account. This got the account out of sync. The tomcat log shows a SQL exception in method updateAccountHistory:

2024-03-20T15:00:39.100+0000 SEVERE [TestScheduler_Worker-3] com.cloakware.cspm.server.dao.impl.AnsiSQLAbstractDAO.convertSQLException AnsiSQLAccountHistoryDAO.updateAccountHistory sql exception

com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure

...

at com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd.handleAccountHistory(UpdateTargetAccountCmd.java:1631)

at com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd.invoke(UpdateTargetAccountCmd.java:808)

at com.cloakware.cspm.server.app.impl.ApplicationContextImpl.invokeCommand(ApplicationContextImpl.java:274)

at com.cloakware.cspm.server.app.impl.ApplicationContextImpl.invokeCommand(ApplicationContextImpl.java:216)

at com.cloakware.cspm.server.app.impl.UpdateTargetAccountPasswordCmd.updateAccount(UpdateTargetAccountPasswordCmd.java:1059)

This problem is fixed in 4.1.8 and will be fixed in 4.2.1+, see the following item on documentation page Resolved Vulnerabilities and Issues in 4.1.8:

33691441    DE597027    Account goes out of sync on accounthistory update failure.