Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Sessions 7.0.2 LTS - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 7.0.2 LTS

Release Notes

08 March 2023, 09:34

These release notes provide information about the One Identity Safeguard for Privileged Sessions release. For the most recent documents and product information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Topics:

About this release

One Identity Safeguard for Privileged Sessions Version 7.0.2 LTS is a maintenance release with known issues. For details, see:

NOTE: For a full list of key features in One Identity Safeguard for Privileged Sessions, see Administration Guide.

About the Safeguard product line

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs

  • Easy to deploy and integrate

  • Unparalleled depth of recording

  • Comprehensive risk analysis of entitlements and activities

  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.0.2 LTS
Resolved Issue Issue ID

If a session was terminated, the following message appeared in the session details view of the "Search" page, under "Monitoring Info > Verdict" field: "Terminated by a content policy". The same message was also found in the "Advanced Search recording.verdict" filter suggestion list, next to the value "ACCEPT_TERMINATED" in brackets. The problem with this text was that it was misleading because a session can be terminated not only by a content policy but also by the user.

The "ACCEPT_TERMINATED" recording.verdict message has been fixed to "Terminated by user or content policy". This message now reflects that not only the content policy but also the user can terminate a session.

340185

When generating a report that included the "Four eyes authorizers" subchapter, if there were sessions without four-eyes authorizers, the value pie chart displayed "-1".

Similarly, in "Top 10 username/four-eyes authorizer ..." subchapters if the username was unknown, "-1" represented the value.

Since "-1" is not an intuitive value to represent unknown data, it has been replaced with "n/a".

340215

Text input fields are sometimes too short for SSH algorithms and TLS Cipher strings.

When specifying algorithms on the "SSH Control/Settings" page, the text input fields did not allow to enter texts longer than 150 characters. On the "MSSQL", "RDP", "Telnet" and "VNC Control/Settings" page, the "Cipher strength" field was also affected by the same limitation.

This issue has been fixed. The limit has been raised to 512 characters for SSH algorithms and to 4096 characters for TLS Cipher strings.

340518

In trust stores, when users started to drag and drop something to the certificate upload field, a little overlay appeared on the text field. If the users changed their minds and did not drop the file there, then this overlay stuck. The same problem came up in "Audit keystore > Add new key" (upload-key component).

Drag and drop is no longer stuck in a drag state for certification upload and key upload when the drag event leaves the page or is dropped on the wrong target.

340528

RDP connections may fail after installing the January 11, 2022 Windows update.

After installing the January 11, 2022 Windows update or later Windows updates containing protections for CVE-2022-21857, RDP connections failed if the following conditions were true:

  • There were multiple domains (for example domain A and B) with a trust relationship.
  • The RDP connection was transparent or SPS acted as a Remote Desktop Gateway.
  • NTLM authentication was configured with "Require domain membership" enabled.
  • SPS was in domain A.
  • The target server and user were in domain B.

In these cases the following line was displayed in the system log: "DC refused user authentication;"

The issue is fixed now. The NTLM authentication process has been improved to work with the new security checks.

340538

When trying to generate video and screenshot files over the REST API to an MSSQL session using the /api/audit/sessions/<session-id>/screenshots/_generate and /api/audit/sessions/<session-id>/video/_generate endpoints, respectively, the indexer accepted the job, instead of notifying the users that generating screenshot and video files are not supported by the MSSQL session.

This has been fixed. Now, when users try to generate a screenshot or video for an MSSQL session over REST API, they receive a 400 ContentGenerationNotSupported error on REST API.

340553

Large number of gateway authentications might cause all connections to terminate.

In some cases, after a very large number of gateway authentication, all connections of the affected protocol could terminate due to a double-free issue. In these cases, a core file was also generated, and a stackdump was written to the system log. The issue primarily affected HTTP connections, and, to a smaller degree, RDP connections where SPS was acting as a Remote Desktop Gateway. This issue has been fixed.

340554

When trying to sort sessions on SPS UI under the Search page by analytics score related fields (host login, login time, keystroke, mouse or window title), if none of the sessions had data for the selected analytics field, the REST API of SPS mistakenly returned 400 NotParsableQuery error referring to that the received search query is invalid.

This has been fixed now and sorting should not fail if data is not available for the analytics score related fields.

340583

Trying to generate a Report from the SPS REST API with an ISO-8061 date format that correctly does not have a month part in the start or the end date field, returns an error.

When sending a request to the SPS report generating API endpoint (/api/reports) with a valid ISO 8061 date format in the start or the end date field parameter, SPS responds with an error message if one of the date fields contains a date that does not have a month part. As a result of this, the report generation does not start.

This has been fixed, users can specify the date in the start and end date fields in the SPS REST API in all previous formats and also in ISO 8061 formats. This was achieved by introducing an ISO date parser and keeping the old date parser too. Now SPS successfully performs the report generation between the desired dates.

340592

Users trying to generate a Report from the SPS REST API with an ISO-8061 date format containing week numbers in the start or the end date field (for example 2022-W37-1) got an error message.

When sending a request to the report generating API endpoint (/api/reports) with a valid ISO 8061 date format containing week numbers in the start or the end date field parameter, SPS responded with a 400 "InvalidDate" error. As a result of this, the report generation did not start.

This has been fixed, now the users can specify the date in the start and end date fields in the SPS REST API in all previous formats and also in ISO 8061 formats. The fix included introducing an ISO date parser and keeping the old date parser too. SPS now successfully performs the report generation between the desired dates.

340607

When the user tries to download an archived session audit trail on central search deployment, the download could fail because SPS could not find the audit trail and the user gets an error message when opening a new tab in the browser.

Trying to download an archived audit trail from SPS in central search deployment gave back an error message when opening a new tab in the browser. This was due to SPS trying to obtain the audit trail file through the local Content Service of the central search node, but it did not succeed because the given audit trail was only available through the Content Service of the minion node on which the given session was recorded.

This issue has been fixed. When the user tries to download an archived trail from the central search node, SPS contacts the Content Service of the minion node on which the session was recorded.

340626

Permission error when attempting to start manual backup, restore, or archive operation with per-connection-policy permission.

When a user who had read and write/perform permission for only a few select connection policies within a protocol (but not all connection policies of that protocol) attempted to manually start the backup, restore, or archive operations for such a connection policy, the operation failed to start and a permission error was shown saying "Permission error / Access denied to object; object='/config/scb//connections/connection[@id = '...']', access='write'".

This issue has been fixed. Now users can start the backup, restore, and archive operations for all connection policies for which they had been granted the read and write/perform permission.

380785

Indexer policy field allowed to use the Next button even when no indexer policy value was selected.

Indexer policy field now requires an indexer policy value to be set when indexing is enabled in Quick Connection Setup.

387412

Users could save the X.509 editing page, when the "Status" was "Enabled" but they did not select any trust store.

Fixed the missing 'required' validation on the "X.509 login method form > Trust store field".

Now users cannot submit the form without a trust store selected.

387447

RDP logon could cause all connections to terminate.

In some rare cases, a domain user successfully logging into a domain joined RDP server via SPS could cause all RDP connections to terminate. In this case, a core file was also generated. This issue mainly affected transparent connections, or connections where SPS was acting as an RD Gateway, and where the server was behaving in a specific incorrect way during SPNEGO-based NLA authentication.

This has been fixed, the non-standard server behavior is now handled gracefully, and the affected connections will now pass.

388421

Some SSH host keys were not listed.

If the SSH target servers used "ecdsa-sha2-nistp384" or "ecdsa-sha2-nistp521" host keys, then those keys were not displayed under "SSH Control > Server" host keys. This error has been fixed.

As a consequence, the key types above are also supported on the /api/ssh-host-keys endpoint of the REST API.

388635

Protocols TLS 1.0 and 1.1 are removed from indexer service. Only TLS 1.2 or newer protocol versions are supported on the TCP port of the external indexer.

389039

When editing an AD/LDAP server in the case of an already specified Trust store under "User & Access Control > Login Options > Manage AD/LDAP servers", although it was possible to select "Certificate" with "None" status, an error occurred while committing the changes.

This issue has been fixed. You can save and commit your changes when editing AD/LDAP servers.

400763

Even though the '_' character is allowed in an FQDN on the REST API, users could not set a server with this name using the web UI.

FQDN validations have been fixed on the UI.

400765

Misleading error message displayed when MSSQL inband target server does not exist.

In MSSQL connections, using inband target selection, when the DNS name resolution of the target server hostname failed, a misleading login error message, "Gateway authentication failed", was displayed in the MSSQL client. In this case, a traceback was also written to the system log.

These errors have been fixed, and the error message has been updated to reflect that name resolution has failed.

404204

Audit trails and events of Citrix ICA connections may have incorrect dates.

The channels in ICA audit trails recorded on affected SPS versions may appear to be recorded in the future, specifically at, or after 2035-10-29T06:32:22 (UTC). Since audit trails also serve as a basis for audit events, the dates and times shown on the Search interface are also incorrect for the affected sessions.

Digitally signed timestamps created by Time Stamping Authorities, when this feature is enabled for the audit trail, are not affected.

Also, only the records indicating the start of a new channel have wrong timestamps in the audit trail. The actual audited traffic, such as keystrokes, mouse events or graphical content, internally have correct timestamps, but due to an automatic time correction during indexing, those events are also displayed with incorrectly adjusted dates and times.

The audit trail recording error has been fixed, SPS now writes correct times in the audit trail when opening new channels. Existing audit trails recorded with an affected SPS, however, will still show incorrect dates and times.

405227

Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation