Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.0.4 LTS - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 7.0.4 LTS

Release Notes

03 October 2023, 15:19

These release notes provide information about the One Identity Safeguard for Privileged Sessions release. For the most recent documents and product information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Topics:

About this release

One Identity Safeguard for Privileged Sessions Version 7.0.4 LTS is a maintenance release with resolved issues. For details, see:

NOTE: For a full list of key features in One Identity Safeguard for Privileged Sessions, see .

About the Safeguard product line

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs

  • Easy to deploy and integrate

  • Unparalleled depth of recording

  • Comprehensive risk analysis of entitlements and activities

  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.0.4 LTS
Resolved Issue Issue ID

Fixed to be able to build baselines for more than 10,000 users.

424024

The local SSH of SPS and the root password of the local SSH of SPS could be configured on the REST API in sealed mode.

The configuration issue is solved and local SSH and root password cannot be configured in sealed mode.

340251

Fixed this issue: Login page local login modal backdrop displayed incorrectly on slow internet.

392712

Now it is possible to remove bind DN value in LDAP management.

403955

Fixing required space calculation in upgrade precheck.

Until now the upgrade precheck process did not calculate the required space properly. Now this problem has been fixed.

406696

During a firmware upgrade or when importing an older configuration bundle, a computationally expensive validation rule was evaluated multiple times. With sufficiently complex confiugration, this could make the process run long enough to exceed the maximum execution time of the server side request handler of the web user interface, making the operation fail. This expensive validation is now performed only once, so that validating a complex configuration during a firmware upgrade or a configurtion import will not exceed the execution time limit.

413675

When the user created a new custom report, the actions were available behind the "Create report" button before the changes were committed on the Reporting -> Create and Manage Reports UI. This issue has been fixed.

416981

RDP connections initiated on Mac OS with Microsoft Remote Desktop App 10.8.2 or later failed.

Microsoft Remote Desktop App 10.8.2 enabled a new undocumented protocol feature which was not handled by SPS, causing RDP connections to fail.

This has been fixed, SPS now properly recognizes and disables this feature.

417054

When an SPS instance was first launched in AWS EC2, the bootstrap system could occasionally fail. In this case the customer would experience Connection Refused indefinitely when they tried to connect to the freshly provisioned instance via HTTPS. This unreliability was fixed to stabilize the bootstrap procedure.

421194

Documentation links in the upgrade notes were not resolvable.

When the upgrade notes of a specific firmware version was displayed, the links to the Upgrade Guide and the Release Notes were incorrect. The documentation site was updated to provide contents for the past versions as well.

422264

In Windows Azure environment the SPS console could report failed network services due to an interaction between its networking setup and the Azure guest agent. The SPS networking system was enhanced to tolerate such external changes.

414452

When SPP and SPS are linked together, SPS needs to maintain an up-to-date list of the members of the SPP cluster. This list was periodically queried, but only from the primary node of the SPP cluster.

This has been changed so that when the primary SPP node is unreachable for SPS, then SPS will attempt to query the SPP cluster members from the other nodes of the SPP cluster, based on the last known set of SPP cluster members.

414457

Early disconnections might cause all RDP connections to terminate when RDG is configured.

When SPS was configured to act as a Remote Desktop Gateway and the client disconnected in the early stages of the connection, all RDP connections could be terminated.

In this case a core file was generated and a backtrace was written to the system log alongside with the following line: "Timer expired; description='I/O timeout'". This issue is fixed now.

411111

The following bug in SPS prior to 7.3.0 was only possible via the SPS REST API. If a user sent a POST request to the following endpoint https://SPS_IP/api/configuration/reporting/restbased_subchapters and created a restbased_subchapter that contained a field with a date type in its "fields" value list.

As of SPS 7.3.0, the bug could also be triggered on the SPS UI, under the Reporting > Create & Manage Reports menu item, if a user created a Search-Based subchapter that contained a column that was of type date by pressing the View & edit subchapters button. The bug could be found in the generated report if a field of a date type in a session in the report did not have a value, and instead of the expected "n/a", a blank text ("") was displayed.

This has been fixed so that if a report contains a search-based subchapter (referred as REST-based subchapter on the REST API) that contains a session field of type date and the generated report includes a session that does not contain a value for that date field, the report will contain "n/a" for the field value.

412721

When the user only added or deleted a certificate to a trust store, these actions did not enable the Save button. This issue has been fixed.

340419

Missing name validation for creating or editing LDAP servers.

A unique name validator has added to LDAP server name field to help the user choose an unused one.

340503

Added an Enter key handler to LDAP server shared secret dialog.

340505

When there was an exact match in the list, it could happen that the result was displayed at the end of the list, which means the user was not able to see it immediately if the list was too large and scrollable. This issue has been fixed.

340507

User Preferences -> Search page settings -> Automatic refresh toggle did not affect the Search page background data refreshing. This issue has been fixed.

340519

EU data house is available for starling, but the UI showed that it is not yet supported. This issue has been fixed.

340520

When you create a report for a fixed time frame or a custom time frame, the page shows you the redirection suggestion popup instead of auto redirecting, and it does not redirect you now if there is an error during a custom time framed report creation.

340540

From now on, the online video player will stop when the user presses the forward seek button. This was implemented to make going forward the same as going backwards in the videos.

340542

The "read the release notes" link on the "About" side sheet led to an old page. This link is now fixed and navigates the user to the correct page.

386176

The query of a content based subchapter no longer excepts unpaired double quotes in search words, since it causes an internal error. This fact is also represented in the REST schema of the content subchapter endpoint.

387790

Pagination range was incorrect on the last page when it had 10.000 or more sessions. This issue has been fixed.

422663

RDP protocol negotiation on Windows 11 with Remote Desktop 10.0.22621 fails.

In Windows 11 version 22H2, RDP protocol negotiation has been changed, and now it allows skipping the initial channel join messages. This was not handled by SPS, causing RDP connections fail to start.

This has been fixed, SPS now supports RDP channel join skipping.

425560

When creating a new content subchapter on SPS UI under Reporting > Create & Manage Reports and the user had content subchapters using a protocol connection policy filter without having access to the particular protocol's Connections menupoint, SPS returned a "403 Forbidden: The client is not authorized to access the given resource." error. Furthermore, when the user wanted to create a new conctent subchapter with a protocol connection policy filter, SPS also responded with the previous error and the subchapter could not be created.

This issue has been fixed so the protocol connection policy filter works as expected without access to protocol Connections menupoints.

425741

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.0.4 LTS
Resolved Issue Issue ID

avahi:

CVE-2023-1981

bind9:

CVE-2023-2828

cups:

CVE-2023-32324

 

CVE-2023-34241

curl:

CVE-2023-28321

 

CVE-2023-28322

glib2.0:

CVE-2023-24593

 

CVE-2023-25180

 

CVE-2023-29499

 

CVE-2023-32611

 

CVE-2023-32636

 

CVE-2023-32643

 

CVE-2023-32665

libcap2:

CVE-2023-2602

 

CVE-2023-2603

libssh:

CVE-2023-1667

 

CVE-2023-2283

libx11:

CVE-2023-3138

linux:

CVE-2020-36691

 

CVE-2022-0168

 

CVE-2022-1184

 

CVE-2022-27672

 

CVE-2022-4269

 

CVE-2023-0461

 

CVE-2023-1075

 

CVE-2023-1118

 

CVE-2023-1380

 

CVE-2023-1611

 

CVE-2023-1670

 

CVE-2023-1859

 

CVE-2023-2124

 

CVE-2023-2612

 

CVE-2023-30456

 

CVE-2023-3090

 

CVE-2023-3111

 

CVE-2023-3141

 

CVE-2023-31436

 

CVE-2023-32233

 

CVE-2023-32629

 

CVE-2023-3390

 

CVE-2023-35001

ncurses:

CVE-2021-39537

 

CVE-2022-29458

 

CVE-2023-29491

nghttp2:

CVE-2020-11080

open-vm-tools:

CVE-2023-20867

openjdk-lts:

CVE-2023-22006

 

CVE-2023-22036

 

CVE-2023-22041

 

CVE-2023-22045

 

CVE-2023-22049

 

CVE-2023-25193

openssh:

CVE-2020-14145

 

CVE-2023-38408

openssl:

CVE-2022-4304

 

CVE-2023-2650

perl:

CVE-2023-31484

php7.4:

CVE-2023-3247

postgresql-12:

CVE-2023-2454

 

CVE-2023-2455

 

CVE-2023-39417

python3.8:

CVE-2023-24329

requests:

CVE-2023-32681

samba:

CVE-2022-2127

 

CVE-2023-34966

 

CVE-2023-34967

 

CVE-2023-34968

sysstat:

CVE-2023-33204

tiff:

CVE-2022-48281

 

CVE-2023-25433

 

CVE-2023-26965

 

CVE-2023-26966

 

CVE-2023-2908

 

CVE-2023-3316

 

CVE-2023-3618

 

CVE-2023-38288

 

CVE-2023-38289

vim:

CVE-2022-2208

 

CVE-2022-2210

 

CVE-2022-2257

 

CVE-2022-2264

 

CVE-2022-2284

 

CVE-2022-2285

 

CVE-2022-2286

 

CVE-2022-2287

 

CVE-2022-2289

 

CVE-2022-2598

 

CVE-2022-3016

 

CVE-2022-3037

 

CVE-2022-3099

 

CVE-2023-2609

 

CVE-2023-2610

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating