サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Sessions 7.0.5 LTS - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 7.0.5 LTS

Release Notes

07 March 2024, 17:41

These release notes provide information about the One Identity Safeguard for Privileged Sessions release. For the most recent documents and product information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Topics:

About this release

One Identity Safeguard for Privileged Sessions Version 7.0.5 LTS is a maintenance release with resolved issues. For details, see:

NOTE: For a full list of key features in One Identity Safeguard for Privileged Sessions, see the Administration Guide.

About the Safeguard product line

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs

  • Easy to deploy and integrate

  • Unparalleled depth of recording

  • Comprehensive risk analysis of entitlements and activities

  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.0.5 LTS
Resolved Issue Issue ID

When trying to commit changes that included the deletion of a subchapter that is referenced in a report either under Reporting > Create & Manage Reports or via the REST API, SPS displayed an error with an ambiguous error message: "The referenced subchapter 'subchapter-id' does not exist.".

This has been fixed so that when deleting a subchapter, SPS checks whether the subchapter is referenced in a report, and if so, it will immediately display an error with a meaningful error message indicating that the subchapter is referenced in a report and that it should be unreferenced first.

393727

Fixed authentication can be blocked by other users issue.

SPS worked in a way that the authentication and authorization attempts of a user could possibly block the authentication of other users. This limitation did not cause problems while the authentication or authorization were performed nearly instantaneously. However, if the process was waiting for the slow response of a remote AD/LDAP or RADIUS server, then every authentication request of other users was blocked too. This was especially noticeable when the remote server was overloaded or when it was waiting for some interaction with the user (for example, MFA), and in this case, users might have experienced slow page load times or authentication timeout errors.

This issue was fixed, and now the authentication attempts are performed concurrently. Note that although remote resource consumption manifests in parallel authentication requests, these can still be slow when the remote resources are overloaded.

420845

Fixed the Remote Desktop Gateway packet overload can cause an out-of-memory crash issue.

If the RDP proxy acts as a Desktop Gateway, it caches packets temporarily when the client is unable to consume them. In cases of heavy and permanent packet loads, this cache could increase until the resource limit is reached.

This has been fixed, and the buffer is now involved in the flow control decision.

340013

Fixed RDP crashing during server authentication if the SPNEGO response contains only an error code.

The server responded with a vendor-specific error code (HResult 80090302: unsupported function) only in the SPNEGO response, which format was not expected by SPS.

This has been fixed, and SPS now properly handles such responses.

439931

The SSH Control > Options page only allowed uploading or deleting the Kerberos keytab for the local administrator, even when other users were granted write and perform access to this page.

This has been fixed, and now all users with the proper access permissions can upload and delete the keytab.

442599

Fixed the DNS resolution timeout problem.

Previously, when SPS tried to resolve a domain name and the DNS server was unresponsive, SPS waited for too long to time out. This has been fixed, and now the timeouts are correctly enforced when resolving domain names.

418170

Due to an error during plugin API check, plugins with two-digit plugin API versions (for example, 1.7) could not be uploaded. The version check is fixed and the two-digit API version can be used from now on.

441702

There were only 3 time ranges previously:

  • Hour: if the time range was shorter than / equal to a day.

  • Day: if the time range was shorter than / equal to 30 days.

  • Month: if the time range was longer than 30 days.

A new time range (week) has been introduced, and the time period distributions have changed to the following:

  • Hour: if the time range is shorter than / equal to a day.

  • Day: if the time range is shorter than / equal to 14 days.

  • Week: if the time range is shorter than / equal to 12 weeks.

  • Month: if the time range is longer than 14 weeks.

Columns containing 0 items are also presented.

340221

CSRF protection for the SPS REST API was optional. With this fix, SPS will force CSRF protection if the User-Agent refers to a browser.

428406

When generating a report that includes content subchapters either from the SPS UI or via the SPS REST API, if approximately more than 1000 sessions matched the content query, report generation could fail.

When generating reports that include content subchapters, Reporting collects sessions that match the content query. For each session, a QR code image is generated in temporary files that are embedded in the generated PDF file. Unfortunately, file descriptors had not been closed properly for these temporary files. As a result, if there were so many sessions matching the content query that the number of open file descriptors exceeded the operation system's limit, report generation failed and the following backtrace was written in the /var/log/messages log file: "ERROR OSError: [Errno 24] Too many open files.".

This issue has been fixed by making sure that file descriptors are properly closed.

431434

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.0.5 LTS

Resolved Issue

Issue ID

avahi:

CVE-2023-38469

 

CVE-2023-38470

 

CVE-2023-38471

 

CVE-2023-38472

 

CVE-2023-38473

bind9:

CVE-2023-4408

 

CVE-2023-50387

 

CVE-2023-50868

 

CVE-2023-5517

 

CVE-2023-6516

curl:

CVE-2023-38546

 

CVE-2023-46218

freerdp2:

CVE-2017-2834

 

CVE-2017-2835

 

CVE-2017-2836

 

CVE-2017-2837

 

CVE-2017-2838

 

CVE-2017-2839

 

CVE-2019-17177

 

CVE-2020-11042

 

CVE-2020-11044

 

CVE-2020-11045

 

CVE-2020-11046

 

CVE-2020-11047

 

CVE-2020-11048

 

CVE-2020-11049

 

CVE-2020-11058

 

CVE-2020-11095

 

CVE-2020-11096

 

CVE-2020-11097

 

CVE-2020-11098

 

CVE-2020-11099

 

CVE-2020-11521

 

CVE-2020-11522

 

CVE-2020-11523

 

CVE-2020-11524

 

CVE-2020-11525

 

CVE-2020-11526

 

CVE-2020-13396

 

CVE-2020-13397

 

CVE-2020-13398

 

CVE-2020-15103

 

CVE-2020-4030

 

CVE-2020-4031

 

CVE-2020-4032

 

CVE-2020-4033

 

CVE-2021-41159

 

CVE-2021-41160

 

CVE-2022-24882

 

CVE-2022-24883

 

CVE-2022-39282

 

CVE-2022-39283

 

CVE-2022-39316

 

CVE-2022-39317

 

CVE-2022-39318

 

CVE-2022-39319

 

CVE-2022-39320

 

CVE-2022-39347

 

CVE-2022-41877

 

CVE-2023-39350

 

CVE-2023-39351

 

CVE-2023-39352

 

CVE-2023-39353

 

CVE-2023-39354

 

CVE-2023-39356

 

CVE-2023-40181

 

CVE-2023-40186

 

CVE-2023-40188

 

CVE-2023-40567

 

CVE-2023-40569

 

CVE-2023-40589

glibc:

CVE-2023-4806

 

CVE-2023-4813

gnutls28:

CVE-2023-5981

 

CVE-2024-0553

jinja2:

CVE-2020-28493

 

CVE-2024-22195

krb5:

CVE-2023-36054

less:

CVE-2022-48624

libssh:

CVE-2023-48795

 

CVE-2023-6004

 

CVE-2023-6918

libuv1:

CVE-2024-24806

libvpx:

CVE-2023-44488

 

CVE-2023-5217

libx11:

CVE-2023-43785

 

CVE-2023-43786

 

CVE-2023-43787

libxml2:

CVE-2024-25062

libxpm:

CVE-2023-43786

 

CVE-2023-43787

 

CVE-2023-43788

 

CVE-2023-43789

linux:

CVE-2021-4001

 

CVE-2023-0597

 

CVE-2023-1206

 

CVE-2023-31083

 

CVE-2023-31085

 

CVE-2023-3212

 

CVE-2023-34319

 

CVE-2023-37453

 

CVE-2023-3772

 

CVE-2023-3863

 

CVE-2023-39189

 

CVE-2023-39192

 

CVE-2023-39193

 

CVE-2023-4132

 

CVE-2023-4194

 

CVE-2023-42752

 

CVE-2023-42753

 

CVE-2023-42754

 

CVE-2023-42755

 

CVE-2023-42756

 

CVE-2023-45863

 

CVE-2023-45871

 

CVE-2023-4622

 

CVE-2023-4623

 

CVE-2023-4881

 

CVE-2023-4921

 

CVE-2023-5178

 

CVE-2023-51781

 

CVE-2023-5717

 

CVE-2023-6040

 

CVE-2023-6606

 

CVE-2023-6915

 

CVE-2023-6931

 

CVE-2023-6932

 

CVE-2024-0565

 

CVE-2024-0646

nghttp2:

CVE-2023-44487

open-vm-tools:

CVE-2023-34058

 

CVE-2023-34059

openjdk-lts:

CVE-2023-22081

 

CVE-2024-20918

 

CVE-2024-20919

 

CVE-2024-20921

 

CVE-2024-20926

 

CVE-2024-20945

 

CVE-2024-20952

openldap:

CVE-2023-2953

openssh:

CVE-2021-41617

 

CVE-2023-48795

 

CVE-2023-51385

openssl:

CVE-2023-3446

 

CVE-2023-3817

 

CVE-2023-5678

 

CVE-2024-0727

pam:

CVE-2024-22365

perl:

CVE-2023-47038

php7.4:

CVE-2023-3823

 

CVE-2023-3824

pillow:

CVE-2023-44271

 

CVE-2023-50447

postfix:

CVE-2023-51764

postgresql-12:

CVE-2023-5868

 

CVE-2023-5869

 

CVE-2023-5870

 

CVE-2024-0985

procps:

CVE-2023-4016

python-cryptography:

CVE-2023-23931

python-urllib3:

CVE-2023-43804

 

CVE-2023-45803

python3.8:

CVE-2023-40217

rabbitmq-server:

CVE-2023-46118

samba:

CVE-2023-4091

 

CVE-2023-4154

 

CVE-2023-42669

shadow

CVE-2023-4641

sqlite3:

CVE-2023-7104

strongswan:

CVE-2023-41913

tar:

CVE-2023-39804

tiff:

CVE-2022-40090

 

CVE-2023-1916

 

CVE-2023-3576

 

CVE-2023-52356

 

CVE-2023-6228

 

CVE-2023-6277

vim:

CVE-2022-1725

 

CVE-2022-1771

 

CVE-2022-1897

 

CVE-2022-2000

 

CVE-2022-3234

 

CVE-2022-3256

 

CVE-2022-3324

 

CVE-2022-3352

 

CVE-2022-3520

 

CVE-2022-3591

 

CVE-2022-3705

 

CVE-2022-4292

 

CVE-2022-4293

 

CVE-2023-46246

 

CVE-2023-4733

 

CVE-2023-4735

 

CVE-2023-4750

 

CVE-2023-4751

 

CVE-2023-4752

 

CVE-2023-4781

 

CVE-2023-48231

 

CVE-2023-48233

 

CVE-2023-48234

 

CVE-2023-48235

 

CVE-2023-48236

 

CVE-2023-48237

 

CVE-2023-5344

 

CVE-2023-5441

 

CVE-2023-5535
セルフ・サービス・ツール
ナレッジベース
通知および警告
製品別サポート
ソフトウェアのダウンロード
技術文書
ユーザーフォーラム
ビデオチュートリアル
RSSフィード
お問い合わせ
ライセンスアシスタンス の取得
Technical Support
すべて表示
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択