Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.2 - Release Notes

Deprecated features

Apache lucene database

In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the Elasticsearch database only. The Apache lucene database support is phased out, but the query language remained lucene-like.

After the switch to the Elasticsearch database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.

Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.

For more information, see "Searching in the session database with the basic search method" in the REST API Reference Guide and "Session statistics" in the REST API Reference Guide.

Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.

For more information, see "Creating search-based report subchapters from search results" in the Administration Guide.

Content search option deprecation

On the Search page, the Content search option has been deprecated.

Advanced statistics

Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.

During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.

Alternatively, you can use search-based subchapters to query connection metadata. For more information, see "Creating search-based report subchapters from search results" in the Administration Guide.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.2
Resolved Issue Issue ID

If a session was terminated, the following message appeared in the session details view of the "Search" page, under "Monitoring Info > Verdict" field: "Terminated by a content policy". The same message was also found in the "Advanced Search recording.verdict" filter suggestion list, next to the value "ACCEPT_TERMINATED" in brackets. The problem with this text was that it was misleading because a session can be terminated not only by a content policy but also by the user.

The "ACCEPT_TERMINATED" recording.verdict message has been fixed to "Terminated by user or content policy". This message now reflects that not only the content policy but also the user can terminate a session.

340185

When generating a report that included the "Four eyes authorizers" subchapter, if there were sessions without four-eyes authorizers, the value pie chart displayed "-1".

Similarly, in "Top 10 username/four-eyes authorizer ..." subchapters if the username was unknown, "-1" represented the value.

Since "-1" is not an intuitive value to represent unknown data, it has been replaced with "n/a".

340215

Previously, it was possible to change the name of the predefined PCI-DSS report to another via the SPS REST API with a PUT request.

This issue has been fixed, because this is not intended behavior. After the fix, if a user wants to change the name of a predefined report via the SPS REST API, the user gets a "Predefined report name cannot be changed" error message. All PCI-DSS reports with a name different from "PCI-DSS" are renamed automatically during firmware upgrade to "PCI-DSS".

340428

The warning icon on the analytics tab was green.

This issue has been fixed.

340478

Text input fields are sometimes too short for SSH algorithms and TLS Cipher strings.

When specifying algorithms on the "SSH Control/Settings" page, the text input fields did not allow to enter texts longer than 150 characters. On the "MSSQL", "RDP", "Telnet" and "VNC Control/Settings" page, the "Cipher strength" field was also affected by the same limitation.

This issue has been fixed. The limit has been raised to 512 characters for SSH algorithms and to 4096 characters for TLS Cipher strings.

340518

Online player encoding settings page was unreadable in dark mode.

Online player dark mode colors have been fixed on the encoding page.

340524

When using a valid Lucene query between brackets, the logic operators were validated as incorrect and the query was marked as invalid.

This issue has been fixed.

340525

In trust stores, when users started to drag and drop something to the certificate upload field, a little overlay appeared on the text field. If the users changed their minds and did not drop the file there, then this overlay stuck. The same problem came up in "Audit keystore > Add new key" (upload-key component).

Drag and drop is no longer stuck in a drag state for certification upload and key upload when the drag event leaves the page or is dropped on the wrong target.

340528

RDP connections may fail after installing the January 11, 2022 Windows update.

After installing the January 11, 2022 Windows update or later Windows updates containing protections for CVE-2022-21857, RDP connections failed if the following conditions were true:

  • There were multiple domains (for example domain A and B) with a trust relationship.
  • The RDP connection was transparent or SPS acted as a Remote Desktop Gateway.
  • NTLM authentication was configured with "Require domain membership" enabled.
  • SPS was in domain A.
  • The target server and user were in domain B.

In these cases the following line was displayed in the system log: "DC refused user authentication;"

The issue is fixed now. The NTLM authentication process has been improved to work with the new security checks.

340538

When trying to generate video and screenshot files over the REST API to an MSSQL session using the /api/audit/sessions/<session-id>/screenshots/_generate and /api/audit/sessions/<session-id>/video/_generate endpoints, respectively, the indexer accepted the job, instead of notifying the users that generating screenshot and video files are not supported by the MSSQL session.

This has been fixed. Now, when users try to generate a screenshot or video for an MSSQL session over REST API, they receive a 400 ContentGenerationNotSupported error on REST API.

340553

Large number of gateway authentications might cause all connections to terminate.

In some cases, after a very large number of gateway authentication, all connections of the affected protocol could terminate due to a double-free issue. In these cases, a core file was also generated, and a stackdump was written to the system log. The issue primarily affected HTTP connections, and, to a smaller degree, RDP connections where SPS was acting as a Remote Desktop Gateway. This issue has been fixed.

340554

When creating or editing a trust store, the UI let users to add the same URLs more than once.

This issue has been fixed. When creating or editing a trust store, a validation process now prevents adding the same crl_url more than once.

340566

When trying to sort sessions on SPS UI under the Search page by analytics score related fields (host login, login time, keystroke, mouse or window title), if none of the sessions had data for the selected analytics field, the REST API of SPS mistakenly returned 400 NotParsableQuery error referring to that the received search query is invalid.

This has been fixed now and sorting should not fail if data is not available for the analytics score related fields.

340583

Trying to generate a Report from the SPS REST API with an ISO-8061 date format that correctly does not have a month part in the start or the end date field, returns an error.

When sending a request to the SPS report generating API endpoint (/api/reports) with a valid ISO 8061 date format in the start or the end date field parameter, SPS responds with an error message if one of the date fields contains a date that does not have a month part. As a result of this, the report generation does not start.

This has been fixed, users can specify the date in the start and end date fields in the SPS REST API in all previous formats and also in ISO 8061 formats. This was achieved by introducing an ISO date parser and keeping the old date parser too. Now SPS successfully performs the report generation between the desired dates.

340592

Users trying to generate a Report from the SPS REST API with an ISO-8061 date format containing week numbers in the start or the end date field (for example 2022-W37-1) got an error message.

When sending a request to the report generating API endpoint (/api/reports) with a valid ISO 8061 date format containing week numbers in the start or the end date field parameter, SPS responded with a 400 "InvalidDate" error. As a result of this, the report generation did not start.

This has been fixed, now the users can specify the date in the start and end date fields in the SPS REST API in all previous formats and also in ISO 8061 formats. The fix included introducing an ISO date parser and keeping the old date parser too. SPS now successfully performs the report generation between the desired dates.

340607

When users tried to search for a session in the audit trail which was not indexed using an indexing policy with "full_indexing" enabled, a misleading error message was shown.

Previously, multiple reasons could lead to this scenario (for example indexing was in progress) and there was only a general error message to handle them. This has been changed and a message specific to the cause of error is shown.

340613

On the "Create & Manage Reports" page, when creating or editing a content-based subchapter, the "Connection policy" and the "Channel policy" fields are changed to drop-down, selectable menus.

340616

The order of the analytic cards on "Analytics summary" page could change randomly.

This issue has been fixed. The order of the analytic cards always follow the same structure.

340620

When the user tries to download an archived session audit trail on central search deployment, the download could fail because SPS could not find the audit trail and the user gets an error message when opening a new tab in the browser.

Trying to download an archived audit trail from SPS in central search deployment gave back an error message when opening a new tab in the browser. This was due to SPS trying to obtain the audit trail file through the local Content Service of the central search node, but it did not succeed because the given audit trail was only available through the Content Service of the minion node on which the given session was recorded.

This issue has been fixed. When the user tries to download an archived trail from the central search node, SPS contacts the Content Service of the minion node on which the session was recorded.

340626

When creating content-based subchapters under "Reporting > Create & Manage Reports > View & edit subchapters > Content-based" subchapters tab with "Connection policy" filter for a protocol, if the connection policy filter was not a valid connection policy ID, the SPS REST API responded with an internal error, despite the error being a user error.

This has been fixed, and now, if the specified connection policy filter is not a valid connection policy ID, the SPS REST API responds with a 400 "Bad Request" error.

340627

Permission error when attempting to start manual backup, restore, or archive operation with per-connection-policy permission.

When a user who had read and write/perform permission for only a few select connection policies within a protocol (but not all connection policies of that protocol) attempted to manually start the backup, restore, or archive operations for such a connection policy, the operation failed to start and a permission error was shown saying "Permission error / Access denied to object; object='/config/scb//connections/connection[@id = '...']', access='write'".

This issue has been fixed. Now users can start the backup, restore, and archive operations for all connection policies for which they had been granted the read and write/perform permission.

380785

The footer of the "About" sidesheet panel was displayed incorrectly in dark mode.

While the color of the default text switched to white, the footer of the sidesheet background remained white, causing a visibility issue.

This issue has been fixed.

386175

When the user tried to create and add a search-based subchapter to a report with an invalid query from the "Search" page and corrected the invalid query at the end of the saving process, the UI included the new subchapter twice in the selected report.

This issue has been fixed.

387233

The cleanup policy sidesheet action row is updated to match the expected style.

387363

Indexer policy field allowed to use the Next button even when no indexer policy value was selected.

Indexer policy field now requires an indexer policy value to be set when indexing is enabled in Quick Connection Setup.

387412

Users could save the X.509 editing page, when the "Status" was "Enabled" but they did not select any trust store.

Fixed the missing 'required' validation on the "X.509 login method form > Trust store field".

Now users cannot submit the form without a trust store selected.

387447

"HTTP Control Settings" page did not show the name of the "Error template".

This issue has been fixed.

387687

RDP logon could cause all connections to terminate.

In some rare cases, a domain user successfully logging into a domain joined RDP server via SPS could cause all RDP connections to terminate. In this case, a core file was also generated. This issue mainly affected transparent connections, or connections where SPS was acting as an RD Gateway, and where the server was behaving in a specific incorrect way during SPNEGO-based NLA authentication.

This has been fixed, the non-standard server behavior is now handled gracefully, and the affected connections will now pass.

388421

Some SSH host keys were not listed.

If the SSH target servers used "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521" host keys, then those keys were not displayed under "SSH Control > Server" host keys. This error has been fixed.

As a consequence, the key types above are also supported on the /api/ssh-host-keys endpoint of the REST API.

388635

Protocols TLS 1.0 and 1.1 are removed from indexer service. Only TLS 1.2 or newer protocol versions are supported on the TCP port of the external indexer.

389039

When editing an AD/LDAP server in the case of an already specified Trust store under "User & Access Control > Login Options > Manage AD/LDAP servers", although it was possible to select "Certificate" with "None" status, an error occurred while committing the changes.

This issue has been fixed. You can save and commit your changes when editing AD/LDAP servers.

400763

Even though the '_' character is allowed in an FQDN on the REST API, users could not set a server with this name using the web UI.

FQDN validations have been fixed on the UI.

400765

Misleading error message displayed when MSSQL inband target server does not exist.

In MSSQL connections, using inband target selection, when the DNS name resolution of the target server hostname failed, a misleading login error message, "Gateway authentication failed", was displayed in the MSSQL client. In this case, a traceback was also written to the system log.

These errors have been fixed, and the error message has been updated to reflect that name resolution has failed.

404204

Audit trails and events of Citrix ICA connections may have incorrect dates.

The channels in ICA audit trails recorded on affected SPS versions may appear to be recorded in the future, specifically at, or after 2035-10-29T06:32:22 (UTC). Since audit trails also serve as a basis for audit events, the dates and times shown on the Search interface are also incorrect for the affected sessions.

Digitally signed timestamps created by Time Stamping Authorities, when this feature is enabled for the audit trail, are not affected.

Also, only the records indicating the start of a new channel have wrong timestamps in the audit trail. The actual audited traffic, such as keystrokes, mouse events or graphical content, internally have correct timestamps, but due to an automatic time correction during indexing, those events are also displayed with incorrectly adjusted dates and times.

The audit trail recording error has been fixed, SPS now writes correct times in the audit trail when opening new channels. Existing audit trails recorded with an affected SPS, however, will still show incorrect dates and times.

405227

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.2
Resolved Issue Issue ID

bind9:

CVE-2022-3094

curl:

CVE-2022-43552

heimdal:

CVE-2021-44758

CVE-2022-3437

CVE-2022-42898

CVE-2022-44640

CVE-2022-45142

krb5:

CVE-2022-42898

libksba:

CVE-2022-47629

libxpm:

CVE-2022-44617

CVE-2022-46285

CVE-2022-4883

linux:

CVE-2022-2663

CVE-2022-3061

CVE-2022-3643

CVE-2022-42896

CVE-2022-43945

CVE-2022-45934

net-snmp:

CVE-2022-4479

CVE-2022-44792

CVE-2022-44793

openssl:

CVE-2022-4304

CVE-2022-4450

CVE-2023-0215

CVE-2023-0286

pam:

CVE-2022-28321

php7.4:

CVE-2022-31631

python-future:

CVE-2022-40899

python-urllib3:

CVE-2021-33503

samba:

CVE-2022-3437

CVE-2022-3796

CVE-2022-37966

CVE-2022-37967

CVE-2022-38023

CVE-2022-42898

CVE-2022-44640

CVE-2022-45141

setuptools:

CVE-2022-40897

sudo:

CVE-2023-22809

vim:

CVE-2022-0392

CVE-2022-0417

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

When setting the "Archive data older than:" value to 0 under "Archive policies", you enable same day archiving. Depending on the quantity of the sessions to be archived, the index job can fail if the .zat file is removed by the archiving process before the content indexing is completed. To fix this issue, you must reindex the unindexed sessions manually.;

Caution:

After upgrading to version 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.0 LTS.

Upgrade as follows:

  1. Perform the upgrade to 7.0 LTS with your current license.

  2. Update your SPS license to 7.0 LTS.

For a new SPS license for 7.0 LTS, contact our Licensing Team.

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

Table 4: General known issues
Known Issue Issue ID

External indexer disconnected due to certificates expiry.

You are only affected by this issue if you have enabled external indexing while running SPS version 6.0.4 or 6.4.0 or later where the external indexer certificates were created with a limit of 800 days.

To resolve this issue, see External indexer disconnected due to certificates expiry (4368875) (oneidentity.com).

PAM-16883

System requirements

Before installing SPS 7.2, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating