Chatee ahora con Soporte
Chat con el soporte

One Identity Safeguard for Privileged Sessions 6.0.12 - Release Notes

Resolved issues

NOTE: CVE-2021-44228, also named Log4Shell, is a Remote Code Execution (RCE) class vulnerability. The Apache Log4j library has been updated to version 2.17.1; therefore, SPS is protected against CVE-2021-44228 and against the following related vulnerabilities:
  • CVE-2021-44832

  • CVE-2021-45046

  • CVE-2021-45105

The following is a list of issues addressed in this release.

Table 1: General resolved issues in One Identity Safeguard for Privileged Sessions version 6.0.12
Resolved Issue Issue ID

SSH connections fail when the SHA1-based ssh-rsa host key algorithm is disabled on the client or on the server.

SSH connections going through SPS 6.0.12 fail when the client or the server disables the SHA1-based ssh-rsa host key algorithm. The message "Unable to find a matching kex or host key algorithm" is logged in the system log. The cause of this issue was that the latest SSH software disabled the insecure ssh-rsa host key algorithm by default, which was the only algorithm supported by SPS. This issue has been fixed by adding support for the more secure SHA2-based rsa host key algorithms. SPS now offers the rsa-sha2-512, rsa-sha2-256 and ssh-rsa host key algorithms, in this order.

PAM-15628

SPP detects that SPS is unavailable. The possible reason is that when SPP checks the "configuration_sync" field of the response from /api/cluster/status/<node-id> SPS does not fill out the "configuration_sync" field for the `central-management` node.

Now SPS fills out the "configuration_sync" field for the `central-management` node as an `up-to-date` node.

PAM-15404

Due to an internal error, the local user could not change its own password.

Now the local user can change its own password.

PAM-15293

Due to an unclean shutdown, the postgresql can not be upgraded.

Fixed issue by making the postgresql upgrade more robust.

PAM-15253

Due to an unexpected side effect of a change in SPS versions 6.10.0 and 6.0.10, the AWS images were accidentally shipped with a hard-coded node ID. This prevented SPS nodes hosted on AWS from being able to join a cluster, and also the backup and the archival of the different nodes might have resulted in overwritten files.

Amazon images now come with a fixed node ID. The problem was fixed by changing the way the initial node ID was generated. Note that the node ID of existing installations are not changed, because the node ID change drops the node out of a management cluster and makes the previous archives and backups unavailable. Only the Amazon deployments were affected, the node ID on any other platforms has always been generated correctly on the first boot.

PAM-15192

The validation of proxy settings name differed on the REST API and on the Web UI.

The validation has been synchronized and invalid proxy settings cannot be set anymore on the REST API. The cause of this issue was that REST API allowed '.' and '-' characters in the name of proxy settings, which resulted in an invalid configuration.

PAM-15042

Incorrect handling of Remote Desktop Protocol (RDP) Dynamic Virtual Channels (DVCs). Due to the incorrect handling of DVCs which were rejected by the client or denied by policy, any of the following could occur, depending on the configuration:

  • Allowing a DVC which should have been denied by policy

  • Denying a DVC which should have been allowed by policy

  • Recording a DVC in the audit trail which should not have been recorded

  • Not recording a DVC which should have been recorded

  • Recording a DVC with a wrong name in the audit trail

DVCs denied by policy or rejected by the client are now evaluated and recorded correctly. The Remote Desktop Protocol allows the use of DVCs, which may be opened and closed by the server anytime during an RDP connection, and the client is free to accept or reject such channels. In SPS, it is possible to define channel policy decisions for these DVCs. For example, it is possible to selectively allow or deny such channels based on their names, or to enable auditing for only some of them.

PAM-14941

The log did not display properly the details of an ES failure.

The log now contains the details of the ES failures. When the user navigates to Basic Settings/Management/System backup and clicks on Backup now, a backup process is started. During this backup, an ES backup is also created. If the ES backup returned multiple errors (for example, not allocated primary shard), the log contained an "array" string, instead of the detailed failure reason.

PAM-12526

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: General known issues in One Identity Safeguard for Privileged Sessions version 6.0.12
Known Issue

 

System requirements

Before installing SPS 6.0.12, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

Supported web browsers and operating systems

Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

NOTE: SPS displays a warning message if your browser is not supported or JavaScript is disabled.

NOTE: The minimum recommended screen resolution for viewing 's ('s) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.
Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación