Chatee ahora con Soporte
Chat con el soporte

One Identity Safeguard for Privileged Sessions 6.14 - Release Notes

Deprecated features

Apache Lucene database

Starting from SPS 7.0 LTS, One Identity plans to modify the search for screen content in session data to use the Elasticsearch database only. The current Apache Lucene database support will be phased out, but the query language will remain Lucene-like.

After the switch to the Elasticsearch database, you will be able to access content stored in an Apache Lucene database only if you regenerate the content with the reindex tool.

Splunk forwarder

The Splunk forwarder is deprecated as of SPS 6.7 and is now removed. One Identity recommends using the universal SIEM forwarder instead.

Web interface

The /api/configuration/management/webinterface endpoint is deprecated as of SPS 6.13 and is now removed. One Identity recommends using the webinterface_timeout parameter of the /api/configuration/aaa/settings endpoint instead.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.14
Resolved Issue Issue ID

Login methods-related input validators have been extended.

339919

The Login options page was visible for those as well who had no permission to change or view anything.

This issue has been fixed and now the Login options page is only visible for those who have permission to it, and read-only mode has been added.

340192

The Quick Connection Setup configuration could not be finished if a commit log was required, but its dialog was canceled.

This issue has been fixed: canceling the commit log takes you to the Review page of the Quick Connection Setup configuration.

340196

Setting a server certificate or private key in the last step of the Welcome Wizard fails with an error.

The web server's certificate and private key can be configured in the last step of the Welcome Wizard before finishing it, but due to an error, it was not possible to set a custom certificate and key pair, or to view the automatically generated one. This has been fixed.

340319

LDAP connections can accumulate over a short time period in some cases.

Open LDAP connections could accumulate in several cases, for example when an anonymous bind was used. The reason for this was incorrect internal caching. This was fixed.

340320

Vault details information box width was too small to read.

The information box width is corrected, it can be read easily.

340323

Users could not upload all supported certifications to trust stores.

Some of the certifications were not visible and the user could not upload those to trust stores. This issue is fixed.

340324

"Accepted" verdict of RDP session could incorrectly turn to "Rejected".

In some rare cases, when the RDP session was established using multiple TCP connections, then failing intermediate connection, 'Rejected' status was displayed in UI search page for the session, even if a subsequent connection in the same session was accepted. This was fixed by correctly displaying the final session verdict.

340325

The "platformd" network settings fail on bionic kernel.

This problem was caused by "pyroute2" library. It is replaced with an own implementation.

This issue has been fixed by rewriting the corresponding network component.

340429

RDP connections may fail after installing the January 11, 2022 Windows update.

After installing the January 11, 2022 Windows update or later Windows updates containing protections for CVE-2022-21857, RDP connections failed if the following conditions were true:

  • There were multiple domains (for example domain A and B) with a trust relationship.

  • The RDP connection was transparent or SPS acted as a Remote Desktop Gateway.

  • NTLM authentication was configured with "Require domain membership" enabled.

  • SPS was in domain A.

  • The target server and user were in domain B.

In these cases the following line was displayed in the system log: "DC refused user authentication;"

The issue is fixed now. The NTLM authentication process has been improved to work with the new security checks.

340538

Generate join data for SPS cluster only once to avoid conflict with repeated join request.

SPS generated join data for every join request to SPS cluster. This meant that a repeated join request deleted the earlier join data on the node that was going to be managed, so if the user joined the SPS with the first join data, then the SPS cluster configuration ran into a conflict between the central management node and the managed node.

This issue has been fixed. SPS now generates the join data only once, so the repeated join request will contain the same data, therefore the cluster configuration will not conflict.

340558

Issuer chain from server SSL certificate is dropped if the user committed any changes on the new REST based web UI.

The REST API did not persist the issuer chain of the server SSL certificate. If a user committed any changes on the new REST based web UI or directly at the REST API, then the issuer chain was dropped from the server SSL certificate.

The issue has been fixed and REST API persists the issuer chain of the server SSL certificate.

340559

Audit trails and events of Citrix ICA connections may have incorrect dates.

The channels in ICA audit trails recorded on affected SPS versions may appear to be recorded in the future, specifically at, or after 2035-10-29T06:32:22 (UTC). Since audit trails also serve as a basis for audit events, the dates and times shown on the Search interface are also incorrect for the affected sessions.

Digitally signed timestamps created by Time Stamping Authorities, when this feature is enabled for the audit trail, are not affected.

Also, only the records indicating the start of a new channel have wrong timestamps in the audit trail. The actual audited traffic, such as keystrokes, mouse events or graphical content, internally have correct timestamps, but due to an automatic time correction during indexing, those events are also displayed with incorrectly adjusted dates and times.

The audit trail recording error has been fixed, SPS now writes correct times in the audit trail when opening new channels. Existing audit trails recorded with an affected SPS, however, will still show incorrect dates and times.

405227

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 6.14
Resolved Issue Issue ID

bash:

CVE-2019-18276

bind9:

CVE-2021-25220

 

CVE-2022-2795

 

CVE-2022-3094

 

CVE-2022-38177

 

CVE-2022-38178

cifs-utils:

CVE-2020-14342

 

CVE-2021-20208

 

CVE-2022-27239

 

CVE-2022-29869

cloud-init:

CVE-2022-2084

 

CVE-2023-1786

cups:

CVE-2019-8842

 

CVE-2020-10001

 

CVE-2022-26691

curl:

CVE-2022-22576

 

CVE-2022-27774

 

CVE-2022-27775

 

CVE-2022-27776

 

CVE-2022-27781

 

CVE-2022-27782

 

CVE-2022-32206

 

CVE-2022-32208

 

CVE-2022-32221

 

CVE-2022-35252

 

CVE-2022-43552

 

CVE-2023-23916

 

CVE-2023-27533

 

CVE-2023-27534

 

CVE-2023-27535

 

CVE-2023-27536

 

CVE-2023-27538

cyrus-sasl2:

CVE-2022-24407

dbus:

CVE-2020-35512

 

CVE-2022-42010

 

CVE-2022-42011

 

CVE-2022-42012

dpkg:

CVE-2022-1664

e2fsprogs:

CVE-2022-1304

erlang:

CVE-2022-37026

expat:

CVE-2021-45960

 

CVE-2021-46143

 

CVE-2022-22822

 

CVE-2022-22823

 

CVE-2022-22824

 

CVE-2022-22825

 

CVE-2022-22826

 

CVE-2022-22827

 

CVE-2022-23852

 

CVE-2022-23990

 

CVE-2022-25235

 

CVE-2022-25236

 

CVE-2022-25313

 

CVE-2022-25314

 

CVE-2022-25315

 

CVE-2022-40674

 

CVE-2022-43680

ffmpeg:

CVE-2020-20445

 

CVE-2020-20446

 

CVE-2020-20450

 

CVE-2020-20453

 

CVE-2020-21041

 

CVE-2020-21688

 

CVE-2020-21697

 

CVE-2020-22015

 

CVE-2020-22017

 

CVE-2020-22019

 

CVE-2020-22020

 

CVE-2020-22021

 

CVE-2020-22022

 

CVE-2020-22023

 

CVE-2020-22025

 

CVE-2020-22026

 

CVE-2020-22027

 

CVE-2020-22028

 

CVE-2020-22029

 

CVE-2020-22030

 

CVE-2020-22031

 

CVE-2020-22032

 

CVE-2020-22033

 

CVE-2020-22034

 

CVE-2020-22035

 

CVE-2020-22036

 

CVE-2020-22037

 

CVE-2020-22042

 

CVE-2020-35965

 

CVE-2021-38114

 

CVE-2021-38171

 

CVE-2021-38291

freetype:

CVE-2022-27404

 

CVE-2022-27405

 

CVE-2022-27406

 

CVE-2022-31782

fribidi:

CVE-2022-25308

 

CVE-2022-25309

 

CVE-2022-25310

glibc:

CVE-2016-10228

 

CVE-2019-25013

 

CVE-2020-27618

 

CVE-2020-29562

 

CVE-2020-6096

 

CVE-2021-27645

 

CVE-2021-3326

 

CVE-2021-35942

 

CVE-2021-3999

 

CVE-2022-23218

 

CVE-2022-23219

gmp:

CVE-2021-43618

gnupg2:

CVE-2022-34903

gnutls28:

CVE-2021-4209

 

CVE-2022-2509

 

CVE-2023-0361

gzip:

CVE-2022-1271

harfbuzz:

CVE-2022-33068

heimdal:

CVE-2021-3671

 

CVE-2021-44758

 

CVE-2022-3116

 

CVE-2022-3437

 

CVE-2022-41916

 

CVE-2022-42898

 

CVE-2022-44640

 

CVE-2022-45142

ipmitool:

CVE-2020-5208

isc-dhcp:

CVE-2022-2928

 

CVE-2022-2929

jbigkit:

CVE-2017-9937

klibc:

CVE-2021-31870

 

CVE-2021-31871

 

CVE-2021-31872

 

CVE-2021-31873

krb5:

CVE-2021-36222

 

CVE-2021-37750

 

CVE-2022-42898

ldb:

CVE-2021-3670

 

CVE-2022-32745

 

CVE-2022-32746

 

CVE-2023-0614

libinput:

CVE-2022-1215

libjpeg-turbo:

CVE-2020-17541

 

CVE-2020-35538

 

CVE-2021-46822

libksba:

CVE-2022-3515

 

CVE-2022-47629

libsepol:

CVE-2021-36084

 

CVE-2021-36085

 

CVE-2021-36086

 

CVE-2021-36087

libtirpc:

CVE-2021-46828

libxml2:

CVE-2016-3709

 

CVE-2022-2309

 

CVE-2022-23308

 

CVE-2022-29824

 

CVE-2022-40303

 

CVE-2022-40304

 

CVE-2023-28484

 

CVE-2023-29469

libxpm:

CVE-2022-44617

 

CVE-2022-46285

 

CVE-2022-4883

libxslt:

CVE-2021-30560

linux:

CVE-2020-27820

 

CVE-2021-26401

 

CVE-2021-33061

 

CVE-2021-33655

 

CVE-2021-33656

 

CVE-2021-3669

 

CVE-2022-0001

 

CVE-2022-0435

 

CVE-2022-0492

 

CVE-2022-0516

 

CVE-2022-0847

 

CVE-2022-1016

 

CVE-2022-1055

 

CVE-2022-1116

 

CVE-2022-1652

 

CVE-2022-1679

 

CVE-2022-1734

 

CVE-2022-1789

 

CVE-2022-1966

 

CVE-2022-21123

 

CVE-2022-21125

 

CVE-2022-21166

 

CVE-2022-21499

 

CVE-2022-2196

 

CVE-2022-23960

 

CVE-2022-25636

 

CVE-2022-2586

 

CVE-2022-2588

 

CVE-2022-2602

 

CVE-2022-26490

 

CVE-2022-2663

 

CVE-2022-27223

 

CVE-2022-27666

 

CVE-2022-28388

 

CVE-2022-28390

 

CVE-2022-28893

 

CVE-2022-29581

 

CVE-2022-2978

 

CVE-2022-29901

 

CVE-2022-3028

 

CVE-2022-3061

 

CVE-2022-3108

 

CVE-2022-3176

 

CVE-2022-34918

 

CVE-2022-3524

 

CVE-2022-3545

 

CVE-2022-3564

 

CVE-2022-3565

 

CVE-2022-3566

 

CVE-2022-3567

 

CVE-2022-3594

 

CVE-2022-3621

 

CVE-2022-3643

 

CVE-2022-36946

 

CVE-2022-3903

 

CVE-2022-40768

 

CVE-2022-41218

 

CVE-2022-4139

 

CVE-2022-41674

 

CVE-2022-42703

 

CVE-2022-42719

 

CVE-2022-42720

 

CVE-2022-42721

 

CVE-2022-42896

 

CVE-2022-4382

 

CVE-2022-43945

 

CVE-2022-45934

 

CVE-2022-47520

 

CVE-2023-0266

 

CVE-2023-0461

 

CVE-2023-1281

 

CVE-2023-23559

 

CVE-2023-26545

multipath-tools:

CVE-2022-41973

 

CVE-2022-41974

net-snmp:

CVE-2022-24805

 

CVE-2022-24806

 

CVE-2022-24807

 

CVE-2022-24808

 

CVE-2022-24809

 

CVE-2022-24810

 

CVE-2022-4479

 

CVE-2022-44792

 

CVE-2022-44793

nginx:

CVE-2020-11724

 

CVE-2020-36309

 

CVE-2021-3618

 

CVE-2022-41741

 

CVE-2022-41742

nss:

CVE-2020-25648

 

CVE-2022-22747

 

CVE-2022-34480

 

CVE-2023-0767

open-vm-tools:

CVE-2022-31676

openjdk-lts:

CVE-2022-21248

 

CVE-2022-21277

 

CVE-2022-21282

 

CVE-2022-21283

 

CVE-2022-21291

 

CVE-2022-21293

 

CVE-2022-21294

 

CVE-2022-21296

 

CVE-2022-21299

 

CVE-2022-21305

 

CVE-2022-21340

 

CVE-2022-21341

 

CVE-2022-21360

 

CVE-2022-21365

 

CVE-2022-21366

 

CVE-2022-21426

 

CVE-2022-21434

 

CVE-2022-21443

 

CVE-2022-21476

 

CVE-2022-21496

 

CVE-2022-21540

 

CVE-2022-21541

 

CVE-2022-34169

 

CVE-2023-21835

 

CVE-2023-21843

openldap:

CVE-2022-29155

openssl:

CVE-2022-0778

 

CVE-2022-1292

 

CVE-2022-2068

 

CVE-2022-2097

 

CVE-2022-4304

 

CVE-2022-4450

 

CVE-2023-0215

 

CVE-2023-0286

 

CVE-2023-0464

 

CVE-2023-0465

 

CVE-2023-0466

pam:

CVE-2022-28321

pcre2:

CVE-2022-1586

 

CVE-2022-1587

pcre3:

CVE-2019-20838

 

CVE-2020-14155

perl:

CVE-2020-16156

php7.4:

CVE-2017-8923

 

CVE-2017-9118

 

CVE-2017-9119

 

CVE-2017-9120

 

CVE-2021-21707

 

CVE-2021-21708

 

CVE-2022-31625

 

CVE-2022-31626

 

CVE-2022-31628

 

CVE-2022-31629

 

CVE-2022-31630

 

CVE-2022-31631

 

CVE-2022-37454

 

CVE-2023-0567

 

CVE-2023-0568

 

CVE-2023-0662

pillow:

CVE-2022-22817

 

CVE-2022-24303

 

CVE-2022-45198

pixman:

CVE-2022-44638

postgresql-12:

CVE-2022-1552

 

CVE-2022-2625

 

CVE-2022-41862

protobuf:

CVE-2021-22570

 

CVE-2022-1941

pyjwt:

CVE-2022-29217

python-future:

CVE-2022-40899

python-ldap:

CVE-2021-46823

python-urllib3:

CVE-2021-33503

python2.7:

CVE-2015-20107

python3.8:

CVE-2015-20107

 

CVE-2022-0391

 

CVE-2022-37454

 

CVE-2022-45061

 

CVE-2023-24329

redis:

CVE-2022-0543

rsync:

CVE-2018-25032

 

CVE-2022-29154

 

CVE-2022-37434

samba:

CVE-2021-3670

 

CVE-2022-2031

 

CVE-2022-32742

 

CVE-2022-32744

 

CVE-2022-32745

 

CVE-2022-32746

 

CVE-2022-3437

 

CVE-2022-3796

 

CVE-2022-37966

 

CVE-2022-37967

 

CVE-2022-38023

 

CVE-2022-42898

 

CVE-2022-44640

 

CVE-2022-45141

 

CVE-2023-0614

 

CVE-2023-0922

setuptools:

CVE-2022-40897

shadow:

CVE-2013-4235

sqlite3:

CVE-2020-35525

 

CVE-2020-35527

 

CVE-2021-20223

 

CVE-2021-36690

 

CVE-2022-35737

sqlparse:

CVE-2023-30608

strongswan:

CVE-2022-40617

sudo:

CVE-2023-22809

 

CVE-2023-2848

 

CVE-2023-28486

 

CVE-2023-28487

sysstat:

CVE-2022-39377

systemd:

CVE-2022-3821

 

CVE-2022-4415

tar:

CVE-2021-20193

 

CVE-2022-48303

tcpdump:

CVE-2018-16301

 

CVE-2020-8037

tiff:

CVE-2020-35522

 

CVE-2022-0561

 

CVE-2022-0562

 

CVE-2022-0865

 

CVE-2022-0891

 

CVE-2022-0907

 

CVE-2022-0908

 

CVE-2022-0909

 

CVE-2022-0924

 

CVE-2022-1354

 

CVE-2022-1355

 

CVE-2022-2056

 

CVE-2022-2057

 

CVE-2022-2058

 

CVE-2022-22844

 

CVE-2022-2867

 

CVE-2022-2868

 

CVE-2022-2869

 

CVE-2022-34526

 

CVE-2022-3570

 

CVE-2022-3598

 

CVE-2022-3599

 

CVE-2022-3970

 

CVE-2023-0795

 

CVE-2023-0796

 

CVE-2023-0797

 

CVE-2023-0798

 

CVE-2023-0799

 

CVE-2023-0800

 

CVE-2023-0801

 

CVE-2023-0802

 

CVE-2023-0803

 

CVE-2023-0804

vim:

CVE-2021-4166

 

CVE-2021-4192

 

CVE-2021-4193

 

CVE-2022-0213

 

CVE-2022-0261

 

CVE-2022-0318

 

CVE-2022-0319

 

CVE-2022-0351

 

CVE-2022-0359

 

CVE-2022-0361

 

CVE-2022-0368

 

CVE-2022-0392

 

CVE-2022-0408

 

CVE-2022-0413

 

CVE-2022-0417

 

CVE-2022-0443

 

CVE-2022-0554

 

CVE-2022-0572

 

CVE-2022-0629

 

CVE-2022-0685

 

CVE-2022-0714

 

CVE-2022-0729

 

CVE-2022-0943

 

CVE-2022-1154

 

CVE-2022-1616

 

CVE-2022-1619

 

CVE-2022-1620

 

CVE-2022-1621

 

CVE-2022-1629

 

CVE-2022-1674

 

CVE-2022-1720

 

CVE-2022-1733

 

CVE-2022-1735

 

CVE-2022-1785

 

CVE-2022-1796

 

CVE-2022-1851

 

CVE-2022-1898

 

CVE-2022-1927

 

CVE-2022-1942

 

CVE-2022-1968

 

CVE-2022-2124

 

CVE-2022-2125

 

CVE-2022-2126

 

CVE-2022-2129

 

CVE-2022-2175

 

CVE-2022-2183

 

CVE-2022-2206

 

CVE-2022-2207

 

CVE-2022-2304

 

CVE-2022-2344

 

CVE-2022-2345

 

CVE-2022-2571

 

CVE-2022-2581

 

CVE-2022-2845

 

CVE-2022-2849

 

CVE-2022-2923

 

CVE-2022-2946

 

CVE-2022-2980

 

CVE-2022-47024

 

CVE-2023-0049

 

CVE-2023-0054

 

CVE-2023-0288

 

CVE-2023-0433

 

CVE-2023-1170

 

CVE-2023-1175

 

CVE-2023-1264

wayland:

CVE-2021-3782

xz-utils:

CVE-2022-1271

zlib:

CVE-2018-25032

 

CVE-2022-37434

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see .

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

System requirements

Before installing SPS 6.14, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación