Release Notes
03 October 2023, 15:19
These release notes provide information about the One Identity Safeguard for Privileged Sessions release. For the most recent documents and product information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.
One Identity Safeguard for Privileged Sessions Version 7.0.4 LTS is a maintenance release with resolved issues. For details, see:
The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.
Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.
The Safeguard products' unique strengths are:
One-stop solution for all privileged access management needs
Easy to deploy and integrate
Unparalleled depth of recording
Comprehensive risk analysis of entitlements and activities
Thorough Governance for privileged account
The suite includes the following modules:
One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.
Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.
One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
Fixed to be able to build baselines for more than 10,000 users. |
424024 |
|
The local SSH of SPS and the root password of the local SSH of SPS could be configured on the REST API in sealed mode. The configuration issue is solved and local SSH and root password cannot be configured in sealed mode. |
340251 |
|
Fixed this issue: Login page local login modal backdrop displayed incorrectly on slow internet. |
392712 |
|
Now it is possible to remove bind DN value in LDAP management. |
403955 |
|
Fixing required space calculation in upgrade precheck. Until now the upgrade precheck process did not calculate the required space properly. Now this problem has been fixed. |
406696 |
|
During a firmware upgrade or when importing an older configuration bundle, a computationally expensive validation rule was evaluated multiple times. With sufficiently complex confiugration, this could make the process run long enough to exceed the maximum execution time of the server side request handler of the web user interface, making the operation fail. This expensive validation is now performed only once, so that validating a complex configuration during a firmware upgrade or a configurtion import will not exceed the execution time limit. |
413675 |
|
When the user created a new custom report, the actions were available behind the "Create report" button before the changes were committed on the Reporting -> Create and Manage Reports UI. This issue has been fixed. |
416981 |
|
RDP connections initiated on Mac OS with Microsoft Remote Desktop App 10.8.2 or later failed. Microsoft Remote Desktop App 10.8.2 enabled a new undocumented protocol feature which was not handled by SPS, causing RDP connections to fail. This has been fixed, SPS now properly recognizes and disables this feature. |
417054 |
|
When an SPS instance was first launched in AWS EC2, the bootstrap system could occasionally fail. In this case the customer would experience Connection Refused indefinitely when they tried to connect to the freshly provisioned instance via HTTPS. This unreliability was fixed to stabilize the bootstrap procedure. |
421194 |
|
Documentation links in the upgrade notes were not resolvable. When the upgrade notes of a specific firmware version was displayed, the links to the Upgrade Guide and the Release Notes were incorrect. The documentation site was updated to provide contents for the past versions as well. |
422264 |
|
In Windows Azure environment the SPS console could report failed network services due to an interaction between its networking setup and the Azure guest agent. The SPS networking system was enhanced to tolerate such external changes. |
414452 |
|
When SPP and SPS are linked together, SPS needs to maintain an up-to-date list of the members of the SPP cluster. This list was periodically queried, but only from the primary node of the SPP cluster. This has been changed so that when the primary SPP node is unreachable for SPS, then SPS will attempt to query the SPP cluster members from the other nodes of the SPP cluster, based on the last known set of SPP cluster members. |
414457 |
|
Early disconnections might cause all RDP connections to terminate when RDG is configured. When SPS was configured to act as a Remote Desktop Gateway and the client disconnected in the early stages of the connection, all RDP connections could be terminated. In this case a core file was generated and a backtrace was written to the system log alongside with the following line: "Timer expired; description='I/O timeout'". This issue is fixed now. |
411111 |
|
The following bug in SPS prior to 7.3.0 was only possible via the SPS REST API. If a user sent a POST request to the following endpoint https://SPS_IP/api/configuration/reporting/restbased_subchapters and created a restbased_subchapter that contained a field with a date type in its "fields" value list. As of SPS 7.3.0, the bug could also be triggered on the SPS UI, under the Reporting > Create & Manage Reports menu item, if a user created a Search-Based subchapter that contained a column that was of type date by pressing the View & edit subchapters button. The bug could be found in the generated report if a field of a date type in a session in the report did not have a value, and instead of the expected "n/a", a blank text ("") was displayed. This has been fixed so that if a report contains a search-based subchapter (referred as REST-based subchapter on the REST API) that contains a session field of type date and the generated report includes a session that does not contain a value for that date field, the report will contain "n/a" for the field value. |
412721 |
|
When the user only added or deleted a certificate to a trust store, these actions did not enable the Save button. This issue has been fixed. |
340419 |
|
Missing name validation for creating or editing LDAP servers. A unique name validator has added to LDAP server name field to help the user choose an unused one. |
340503 |
|
Added an Enter key handler to LDAP server shared secret dialog. |
340505 |
|
When there was an exact match in the list, it could happen that the result was displayed at the end of the list, which means the user was not able to see it immediately if the list was too large and scrollable. This issue has been fixed. |
340507 |
|
User Preferences -> Search page settings -> Automatic refresh toggle did not affect the Search page background data refreshing. This issue has been fixed. |
340519 |
|
EU data house is available for starling, but the UI showed that it is not yet supported. This issue has been fixed. |
340520 |
|
When you create a report for a fixed time frame or a custom time frame, the page shows you the redirection suggestion popup instead of auto redirecting, and it does not redirect you now if there is an error during a custom time framed report creation. |
340540 |
|
From now on, the online video player will stop when the user presses the forward seek button. This was implemented to make going forward the same as going backwards in the videos. |
340542 |
|
The "read the release notes" link on the "About" side sheet led to an old page. This link is now fixed and navigates the user to the correct page. |
386176 |
|
The query of a content based subchapter no longer excepts unpaired double quotes in search words, since it causes an internal error. This fact is also represented in the REST schema of the content subchapter endpoint. |
387790 |
|
Pagination range was incorrect on the last page when it had 10.000 or more sessions. This issue has been fixed. |
422663 |
|
RDP protocol negotiation on Windows 11 with Remote Desktop 10.0.22621 fails. In Windows 11 version 22H2, RDP protocol negotiation has been changed, and now it allows skipping the initial channel join messages. This was not handled by SPS, causing RDP connections fail to start. This has been fixed, SPS now supports RDP channel join skipping. |
425560 |
|
When creating a new content subchapter on SPS UI under Reporting > Create & Manage Reports and the user had content subchapters using a protocol connection policy filter without having access to the particular protocol's Connections menupoint, SPS returned a "403 Forbidden: The client is not authorized to access the given resource." error. Furthermore, when the user wanted to create a new conctent subchapter with a protocol connection policy filter, SPS also responded with the previous error and the subchapter could not be created. This issue has been fixed so the protocol connection policy filter works as expected without access to protocol Connections menupoints. |
425741 |
| Resolved Issue | Issue ID |
|---|---|
|
avahi: |
CVE-2023-1981 |
|
bind9: |
CVE-2023-2828 |
|
cups: |
CVE-2023-32324 |
|
|
CVE-2023-34241 |
|
curl: |
CVE-2023-28321 |
|
|
CVE-2023-28322 |
|
glib2.0: |
CVE-2023-24593 |
|
|
CVE-2023-25180 |
|
|
CVE-2023-29499 |
|
|
CVE-2023-32611 |
|
|
CVE-2023-32636 |
|
|
CVE-2023-32643 |
|
|
CVE-2023-32665 |
|
libcap2: |
CVE-2023-2602 |
|
|
CVE-2023-2603 |
|
libssh: |
CVE-2023-1667 |
|
|
CVE-2023-2283 |
|
libx11: |
CVE-2023-3138 |
|
linux: |
CVE-2020-36691 |
|
|
CVE-2022-0168 |
|
|
CVE-2022-1184 |
|
|
CVE-2022-27672 |
|
|
CVE-2022-4269 |
|
|
CVE-2023-0461 |
|
|
CVE-2023-1075 |
|
|
CVE-2023-1118 |
|
|
CVE-2023-1380 |
|
|
CVE-2023-1611 |
|
|
CVE-2023-1670 |
|
|
CVE-2023-1859 |
|
|
CVE-2023-2124 |
|
|
CVE-2023-2612 |
|
|
CVE-2023-30456 |
|
|
CVE-2023-3090 |
|
|
CVE-2023-3111 |
|
|
CVE-2023-3141 |
|
|
CVE-2023-31436 |
|
|
CVE-2023-32233 |
|
|
CVE-2023-32629 |
|
|
CVE-2023-3390 |
|
|
CVE-2023-35001 |
|
ncurses: |
CVE-2021-39537 |
|
|
CVE-2022-29458 |
|
|
CVE-2023-29491 |
|
nghttp2: |
CVE-2020-11080 |
|
open-vm-tools: |
CVE-2023-20867 |
|
openjdk-lts: |
CVE-2023-22006 |
|
|
CVE-2023-22036 |
|
|
CVE-2023-22041 |
|
|
CVE-2023-22045 |
|
|
CVE-2023-22049 |
|
|
CVE-2023-25193 |
|
openssh: |
CVE-2020-14145 |
|
|
CVE-2023-38408 |
|
openssl: |
CVE-2022-4304 |
|
|
CVE-2023-2650 |
|
perl: |
CVE-2023-31484 |
|
php7.4: |
CVE-2023-3247 |
|
postgresql-12: |
CVE-2023-2454 |
|
|
CVE-2023-2455 |
|
|
CVE-2023-39417 |
|
python3.8: |
CVE-2023-24329 |
|
requests: |
CVE-2023-32681 |
|
samba: |
CVE-2022-2127 |
|
|
CVE-2023-34966 |
|
|
CVE-2023-34967 |
|
|
CVE-2023-34968 |
|
sysstat: |
CVE-2023-33204 |
|
tiff: |
CVE-2022-48281 |
|
|
CVE-2023-25433 |
|
|
CVE-2023-26965 |
|
|
CVE-2023-26966 |
|
|
CVE-2023-2908 |
|
|
CVE-2023-3316 |
|
|
CVE-2023-3618 |
|
|
CVE-2023-38288 |
|
|
CVE-2023-38289 |
|
vim: |
CVE-2022-2208 |
|
|
CVE-2022-2210 |
|
|
CVE-2022-2257 |
|
|
CVE-2022-2264 |
|
|
CVE-2022-2284 |
|
|
CVE-2022-2285 |
|
|
CVE-2022-2286 |
|
|
CVE-2022-2287 |
|
|
CVE-2022-2289 |
|
|
CVE-2022-2598 |
|
|
CVE-2022-3016 |
|
|
CVE-2022-3037 |
|
|
CVE-2022-3099 |
|
|
CVE-2023-2609 |
|
|
CVE-2023-2610 |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Términos de uso Privacidad Cookie Preference Center
