Chat now with support
Chat mit Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - Release Notes

Deprecated features

Apache lucene database

In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the search database only. The Apache lucene database support is phased out, but the query language remained lucene-like.

After the switch to the search database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.

Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.

For more information, see Searching in the session database with the basic search method in the REST API Reference Guide and Session statistics in the REST API Reference Guide.

Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.

For more information, see Creating search-based report subchapters from search results in the Administration Guide.

Content search option deprecation

On the Sessions page, the Content search option has been deprecated.

Advanced statistics

Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.

During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.

Alternatively, you can use search-based subchapters to query connection metadata. For more information, see Creating search-based report subchapters from search results in the Administration Guide.

User lists

On the Policies page, User lists are allow lists or deny lists of usernames that allow fine-control over who can access a connection or a channel. However, the configuration and the semantics of this policy can be ambiguous. Therefore, One Identity is planning the deprecation and removal of the User lists feature in a future SPS release. If you want to maintain the list of allowed usernames, you can use AD/LDAP groups instead.

NOTE: This feature will be deprecated and removed in a future SPS release. The feature is still available in SPS 8.0 LTS.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 8.0 LTS
Resolved Issue Issue ID

After applying the 24H2 update on Windows 11 client computers, the rendering of the RDP screen of One Identity Safeguard for Privileged Sessionsfailed, as it displayed a mostly black screen. The issue was fixed, and now the RDP screen appears correctly.

468209

With verbose system logs enabled, the Test button of an item under Policies > LDAP Servers logged the ldap password to /var/log/messages.

After the fix, the password is replaced with the [removed sensitive data] text.

468478

The gateway and remote groups mentioned in all rules of a channel policy were checked for user membership on incoming connections. For channel policies containing high number of rules, this placed unnecessary load on the AD/LDAP server configured for the connection. If the AD/LDAP server failed under the load, connections were rejected until a failover or its recovery.

As an optimization, group membership is now evaluated only for groups mentioned in rules that match the source address of the incoming connection.

413694

When the user name contained the inband destination separator character (in case of RDP, it is a "%" character, while for all other protocols, it is one of "@" or "%" characters), then the user name was processed like it was carrying both the user identifier and the inband destination. Despite being a documented behavior, this was counterintuitive when the connection policy did not allow inband destination selection.

Following the current release, the destination is only extracted from the user name when inband destination selection is enabled.

450477

The secp256r1 elliptic curve is not required when a proxy connection is created to the target server via TLS.

380752

Mouse algorithm baselines can grow too large preventing backup to happen. After this patch, mouse baselines are cleaned up much earlier.

441246

When a user tries to play an RDP session on the webplayer where only upstream is encrypted and the key is specified in the keystore, the webplayer plays the session with the event subtitle without warning.

459691

Auditors who used the SPS web UI with dark theme and were restricted by audit data access rule (ADAR) were unable to read the warning under the Sessions menu conveying the message "Your search results are limited. Learn more about ADARs." as the white text was displayed with a white background.

This has been fixed and now the warning should be visible properly in dark theme mode as well.

460481

When the user clicks on a microcontent link, the pop-up dialog style now fits into the SPS general style.

340522

Under moderately high load, the communication with external AD/LDAP servers could be interrupted, and this resulted in failed authentication attempts.

This problem was fixed and interrupted requests are now retried within a timeout.

434120

The system backup has been updated to include a check of the analytics database size before initiating the backup procedure. This adjustment aims to prevent situations where the backup process might fill up the disk, triggering the disk fill-up prevention.

441254

In cluster environments, if a node was elected as search master after it was used as a search local node, active sessions might appear and stuck on the sessions page as ACTIVE sessions.

After the fix old sessions are closed.

441263

In certain cases closed sessions stuck in ACTIVE state. After upgrading to a fixed version, they are going to be closed.

445832

When the files access permission is wrong on the server side, the user can see an informative error message.

416926

The new behavior is that when the network address or prefix is not valid, the following error message comes up:"Invalid entry in the Routing table. The network address and the netmask do not match because you have used a network address that contains host bits. This could cause your machine to disconnect from the network. Make sure you use a network address that has no host bits set.".

340004

The graphs for the Pyhisical interface 4-5 are now shown as expected.

340003

Removed misleading character recommendations from hint and validation messages.

431683

After confirming the deletion of a cleanup policy item, there is a loading overlay while the request finishes.

432356

The risky analytics elements keep visible on the Session Details page after switching to the Analytics tabs.

393640

The Lucene based query inputs validate the boolean type fields.

413510

When SPP is overloaded, the SPP fetcher might time out. The default timeout of the used https library is 1 minute. The default timeout has been increased to 5 minutes. The following configuration values can be used after the fix to increase the timeout values even further: pam.vaultFetcher.requestTimeoutInSeconds, pam.vaultFetcher.connectionTimeoutInSeconds.

446838

The Edit report sidesheet keeps the subchapter drop-down state while editing.

447404

Changed to break words inside the input, so it works as previously.

447965

The SAML2 related guide links on the Login Options page are now pointing to the correct descriptions.

448522

The permission denied error message now links to the correct home page.

449991

System backup is configured by referencing a backup policy. Even when the referenced backup policy contained multiple start times, system backup was scheduled to run only once a day. This error has been fixed.

456655

When opening a vault session on the Details page from the Sessions tab, it will support the dark theme.

457411

So far, the Search/Search in all connections ACL alone granted users access to query and see all sessions via the REST API, but the Sessions page was not accessible on SPS UI.

The right behavior of this ACL is to authorize users to see all sessions but not grant access to /api/audit/sessions* endpoints. In order to access the /api/audit/sessions* endpoints and to the Sessions page on the UI the Search/Search ACL must be used.

This issue has been fixed now, so the Search/Search in all connections ACL does not grant access to /api/audit/sessions* endpoints.

458356

Fixed Sudo IOlog DNS resolution timeout problem.

Previously, when SPS tried to resolve a domain name when accepting a Sudo IOlog connection and the DNS server was unresponsive, it waited for too long to time out. This has been fixed, and now the timeouts are correctly enforced when resolving domain names.

446227

The rendering issues are caused by a new image format used by the ThinWire2 protocol. The Safeguard Desktop Player and the external indexers are now able to use a codec provided by Citrix to decode these images.

For more information, contact Citrix.

339849

In previous versions, RDP connections that used an explicit UPN username (user@domain) would result in logon failure. Following the current release, SPS supports using UPN usernames in RDP connections.

340573

Use the correct port placeholders and previews on the Connection Setup Wizard page.

387210

On the Sessions page on the SPS web UI, when users did not have the proper audit data access rules (ADAR) to view sessions, a missing ADAR alert could be seen twice if the timeline statistics chart was switched on.

This has been fixed so that when users do not have ADAR, only one ADAR alert is shown on the Sessions page.

460524

The quick search showed menu results for master and minion machines that should not have been visible.

441044

The user might get a configuration lock warning without a user name if the user uses SPS from multiple browsers (unsupported usage).

Since SPS 7.5 only one web session is allowed per user. As a result, the earlier configuration lock of the user is invalidated together with the web session.

461096

Fixed the issue where event processing could stop after a configuration change.

460598

When the SPS REST API was accessed from PowerShell using the Invoke-WebRequest command, the request was rejected with the following error message: Expected X-Token header to be sent in the request. This error was corrected.

455087

Now you cannot create a report from the Sessions page when you have missing chapter names. Previously, this caused an error in the end of the configuration process.

462886

Now, you cannot skip the required chapter name field in chapter creation, which caused an error previously.

462916

Now the Next button in the report creation is working properly and does not get stuck when using the steps to navigate.

462978

Before the fix, the query strings in the chat messages were not highlighted. After the fix, these query strings are highlighted, and the navigation buttons will navigate to the audit page and fill the query field with the suggested query.

463004

Fixed that sometimes sessions are not closed properly.

452996

Missing sanitization on the HTTP error template preview page.

SPS lets administrators customize templates for error messages used in HTTP protocol traffic. When an administrator accessed the Markdown editor and the side-by-side preview button was pressed, the HTML code was run in the administrator's browser without sanitization. This could allow a malicious administrator to perform a Cross-site Scripting (XSS) attack against other administrators, but only if the victims pressed the side-by-side preview button.

This issue was fixed and now the Markdown editor sanitizes the HTML elements before displaying a preview.

464543

When trying to join SPS to Starling on SPS UI under the Basic settings > Starling Integration menu point, SPS checked the One Identity Starling service availability from the Starling status page to determine whether SPS can be joined to Starling.

However, the status of this service is unrelated whether the join can be performed, so the join availability check has been rewritten to check the status of the join-related services.

The Starling services status page has been removed for two reasons:

  1. SPS displayed the status of the join-related services, which is irrelevant after SPS has been joined to Starling.

  2. SPS displayed the Starling service statuses incorrectly since multiple service instances are available with the introduction of multiple regions. SPS displayed the status for only one service instance which could have been misleading.

When the status of Starling services should be checked, the following page should be visited:https://status.cloud.oneidentity.com/.

457798

For more information, see CVE-2024-40595.

339857

Previously when a report contained only session-related subchapters and used only the sessions database as datasource, the report generation on nodes with search-minion role would fail without user feedback as the sessions database is not available on these nodes.

To fix this issue, SPS checks whether the report can be generated on the current node before starting the report generation either from the SPS Web UI under Reporting > Create & Manage Reports menupoint or via the REST API. When the report cannot be generated, an error is raised including hints on which nodes the report can be generated successfully.

418088

In certain cases closed sessions stuck in ACTIVE state. After upgrading to a fixed version, they are going to be closed.

441264

Previously, some texts were incorrectly colored on the Session details pages in dark theme. Now, the issue is resolved.

427870

The HTTP settings page UI did not allow timeouts below 10 seconds, but the backend accepted it.

447477

SAML2 authentication requests sent to Identity Providers used the RSA-SHA1 algorithm, which is not considered secure.

SPS now uses RSA-SHA256 for signing SAML2 authentication requests.

467297

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 8.0 LTS

Resolved Issue

Issue ID

apparmor: CVE-2016-1585
bash:

CVE-2022-3715

bind9:

CVE-2023-3341

  CVE-2023-4236
  CVE-2023-4408
  CVE-2023-50387
  CVE-2023-50868
  CVE-2023-5517
  CVE-2023-5679
  CVE-2024-0760
  CVE-2024-1737
  CVE-2024-1975
  CVE-2024-4076
bubblewrap:

CVE-2024-42472

busybox:

CVE-2022-48174

cpio:

CVE-2015-1197

  CVE-2023-7207
cups:

CVE-2024-35235

curl:

CVE-2024-2398

  CVE-2024-7264
  CVE-2024-8096
expat:

CVE-2023-52425

  CVE-2024-28757
  CVE-2024-45490
  CVE-2024-45491
  CVE-2024-45492
freerdp2:

CVE-2024-22211

  CVE-2024-32039
  CVE-2024-32040
  CVE-2024-32041
  CVE-2024-32458
  CVE-2024-32459
  CVE-2024-32460
  CVE-2024-32658
  CVE-2024-32659
  CVE-2024-32660
  CVE-2024-32661
glib2.0:

CVE-2024-34397

glibc:

CVE-2024-2961

  CVE-2024-33599
  CVE-2024-33600
  CVE-2024-33601
  CVE-2024-33602
gnutls28:

CVE-2024-28834

  CVE-2024-28835
jinja2:

CVE-2024-34064

klibc:

CVE-2016-9840

  CVE-2016-9841
  CVE-2018-25032
  CVE-2022-37434
krb5:

CVE-2024-37370

  CVE-2024-37371
less:

CVE-2024-32487

libvpx:

CVE-2024-5197

linux:

CVE-2023-23000

  CVE-2023-24023
  CVE-2023-32247
  CVE-2023-46838
  CVE-2023-47233
  CVE-2023-52447
  CVE-2023-52530
  CVE-2023-52600
  CVE-2023-52603
  CVE-2023-52629
  CVE-2023-52752
  CVE-2023-52760
  CVE-2023-6039
  CVE-2024-1085
  CVE-2024-1086
  CVE-2024-21823
  CVE-2024-2201
  CVE-2024-22705
  CVE-2024-23307
  CVE-2024-23850
  CVE-2024-23851
  CVE-2024-24855
  CVE-2024-24861
  CVE-2024-25742
  CVE-2024-26581
  CVE-2024-26583
  CVE-2024-26584
  CVE-2024-26585
  CVE-2024-26622
  CVE-2024-26642
  CVE-2024-26643
  CVE-2024-26677
  CVE-2024-26680
  CVE-2024-26733
  CVE-2024-26735
  CVE-2024-26736
  CVE-2024-26748
  CVE-2024-26782
  CVE-2024-26792
  CVE-2024-26809
  CVE-2024-26828
  CVE-2024-26830
  CVE-2024-26886
  CVE-2024-26921
  CVE-2024-26922
  CVE-2024-26924
  CVE-2024-26926
  CVE-2024-26952
  CVE-2024-27012
  CVE-2024-27017
  CVE-2024-27397
  CVE-2024-36016
  CVE-2024-36901
  CVE-2024-38570
  CVE-2024-38630
  CVE-2024-39292
  CVE-2024-39484
  CVE-2024-39494
  CVE-2024-39496
  CVE-2024-41009
  CVE-2024-42160
  CVE-2024-42228
  CVE-2024-45016
nano:

CVE-2024-5742

nghttp2:

CVE-2024-28182

nginx:

CVE-2024-7347

nss:

CVE-2022-34480

  CVE-2023-0767
  CVE-2023-5388
  CVE-2023-6135
openjpeg2:

CVE-2023-39327

openssh:

CVE-2024-6387

openssl:

CVE-2022-40735

  CVE-2024-2511
  CVE-2024-4603
  CVE-2024-4741
  CVE-2024-5535
  CVE-2024-6119
php8.1:

CVE-2022-4900

  CVE-2024-2756
  CVE-2024-3096
  CVE-2024-5458
  CVE-2024-8925
  CVE-2024-8927
  CVE-2024-9026
pillow:

CVE-2024-28219

postgresql-14:

CVE-2024-4317

  CVE-2024-7348
python-idna:

CVE-2024-3651

python-urllib3:

CVE-2024-37891

python-zipp:

CVE-2024-5569

python3.10:

CVE-2023-27043

  CVE-2023-6597
  CVE-2024-0397
  CVE-2024-0450
  CVE-2024-4032
  CVE-2024-6232
  CVE-2024-6923
  CVE-2024-7592
  CVE-2024-8088
setuptools:

CVE-2024-6345

sqlparse:

CVE-2024-4340

strongswan:

CVE-2022-4967

tiff:

CVE-2023-3164

  CVE-2024-7006
util-linux:

CVE-2022-0563

  CVE-2024-28085
vim:

CVE-2023-2426

  CVE-2024-22667
  CVE-2024-41957
  CVE-2024-43374
  CVE-2024-43802
wget:

CVE-2024-38428

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

The api/audit/sessions endpoint cannot return fields of complex objects nested in lists.

When the api/audit/sessions endpoint receives a query where the fields parameter is provided with list type fields, then these fields will be missing from the response, for example: vault.reviewed.* and vault.approved.*.

Search-based subchapters present some data as missing, regardless of their actual status.

When trying to create a report with subchapters that include the fields listed below, n/a will be presented in the report for these fields, even if data is stored in the database for those fields.

Known affected fields:

  • Reviewed user id

  • Reviewed user name

  • Reviewed domain name

  • Reviewed user display name

  • Reviewed client ip address

  • Reviewed comment

  • Reviewed timestamp

  • Approved user id

  • Approved user name

  • Approved domain name

  • Approved user display name

  • Approved client ip address

  • Approved comment

  • Approved timestamp

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see Verifying certificates with Certificate Authorities using trust stores in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

Table 4: General known issues
Known Issue Issue ID

External indexer disconnected due to certificates expiry.

You are only affected by this issue if you have enabled external indexing while running SPS version 6.0.4 or 6.4.0 or later where the external indexer certificates were created with a limit of 800 days.

To resolve this issue, see External indexer disconnected due to certificates expiry (4368875) (oneidentity.com).

PAM-16883

System requirements

Before installing SPS 8.0 LTS, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen