Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Sessions 6.0.14 LTS - Release Notes

Release Notes

One Identity Safeguard for Privileged Sessions 6.0.14 LTS

Release Notes

09 March 2023, 02:52

These release notes provide information about the One Identity Safeguard for Privileged Sessions release. For the most recent documents and product information, see One Identity Safeguard for Privileged Sessions - Technical Documentation.

Topics:

About this release

One Identity Safeguard for Privileged Sessions Version 6.0.14 LTS is a long-term supported maintenance release with resolved issues.

For more information on the resolved issues, see:

NOTE: For a full list of key features in One Identity Safeguard for Privileged Sessions, see Administration Guide.

About the Safeguard product line

The One Identity Safeguard Appliance is built specifically for use only with the Safeguard privileged management software, which is pre-installed and ready for immediate use. The appliance is hardened to ensure the system is secured at the hardware, operating system and software levels. The hardened appliance approach protects the privileged management software from attacks while simplifying deployment and ongoing management -- and shortening the timeframe to value.

Safeguard privileged management software suite

Safeguard privileged management software is used to control, monitor, and govern privileged user accounts and activities to identify possible malicious activities, detect entitlement risks, and provide tamper proof evidence. The Safeguard products also aid incident investigation, forensics work, and compliance efforts.

The Safeguard products' unique strengths are:

  • One-stop solution for all privileged access management needs

  • Easy to deploy and integrate

  • Unparalleled depth of recording

  • Comprehensive risk analysis of entitlements and activities

  • Thorough Governance for privileged account

The suite includes the following modules:

  • One Identity Safeguard for Privileged Passwords automates, controls and secures the process of granting privileged credentials with role-based access management and automated workflows. Deployed on a hardened appliance, Safeguard for Privileged Passwords eliminates concerns about secured access to the solution itself, which helps to speed integration with your systems and IT strategies. Plus, its user-centered design means a small learning curve and the ability to manage passwords from anywhere and using nearly any device. The result is a solution that secures your enterprise and enables your privileged users with a new level of freedom and functionality.
  • One Identity Safeguard for Privileged Sessions is part of One Identity's Privileged Access Management portfolio. Addressing large enterprise needs, Safeguard for Privileged Sessions is a privileged session management solution, which provides industry-leading access control, as well as session monitoring and recording to prevent privileged account misuse, facilitate compliance, and accelerate forensics investigations.

    Safeguard for Privileged Sessions is a quickly deployable enterprise appliance, completely independent from clients and servers - integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill-down for forensics investigations.

  • One Identity Safeguard for Privileged Analytics integrates data from Safeguard for Privileged Sessions to use as the basis of privileged user behavior analysis. Safeguard for Privileged Analytics uses machine learning algorithms to scrutinize behavioral characteristics and generates user behavior profiles for each individual privileged user. Safeguard for Privileged Analytics compares actual user activity to user profiles in real time and profiles are continually adjusted using machine learning. Safeguard for Privileged Analytics detects anomalies and ranks them based on risk so you can prioritize and take appropriate action - and ultimately prevent data breaches.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in One Identity Safeguard for Privileged Sessions version 6.0.14 LTS
Resolved Issue Issue ID

The "platformd" network settings fail on bionic kernel.

This problem was caused by "pyroute2" library. It is replaced with an own implementation.

This issue has been fixed by rewriting the corresponding network component.

340429

The SPS configuration synchronization could hang for an indefinitely long time.

The SPS configuration synchronization could hang for an indefinitely long time due to a network issue between the central management and managed node. The configuration synchronization locks the configuration so any configuration change is locked by the blocked configuration synchronization.

This issue has been fixed. A timeout of 20 seconds is added to configuration synchronization fetch to avoid the issue.

340557

Generate join data for SPS cluster only once to avoid conflict with repeated join request.

SPS generated join data for every join request to SPS cluster. This meant that a repeated join request deleted the earlier join data on the node that was going to be managed, so if the user joined the SPS with the first join data, then the SPS cluster configuration ran into a conflict between the central management node and the managed node.

This issue has been fixed. SPS now generates the join data only once, so the repeated join request will contain the same data, therefore the cluster configuration will not conflict.

340558

Issuer chain from server SSL certificate is dropped if the user committed any changes on the new REST based web UI.

The REST API did not persist the issuer chain of the server SSL certificate. If a user committed any changes on the new REST based web UI or directly at the REST API, then the issuer chain was dropped from the server SSL certificate.

The issue has been fixed and REST API persists the issuer chain of the server SSL certificate.

340559

Backoff strategy (with iteratively increasing time intervals of 1, 2, 4, ..., 16 minutes) is added to configuration synchronization in case of a permanent configuration synchronization error.

Permanent configuration synchronization error can cause high system load, therefore a backoff strategy is added to configuration synchronization, which waits 1, 2, 4, ... 16 minutes iteratively before the next configuration synchronization, if the configuration synchronization error is still present.

340560

External indexer certificates are too short-lived.

In an attempt to fix PAM-11122, the default lifetime of several certificates was limited to 800 days, because browsers did not trust certificates with a longer validity period. Due to an error, the lifetime of the external indexer SSL certificate was limited too, despite its sole use was to encrypt the traffic between the external indexers and SPS, where web browsers are not involved.

However, after the external indexer SSL certificate expires, the external indexers will not be able to connect to SPS, and external indexing stops working. The workaround is to reconfigure the external indexers by disabling and re-enabling external indexing and resetting the external indexer configurations.

You are only affected by this issue if you enabled external indexing while running SPS version 6.0.4/6.4.0 or later, when the fix for PAM-11122 was released, since previous versions included external indexer certificates with a sufficiently long lifetime.

After the current fix, freshly generated external indexer certificates will again have a lifetime of 20 years.

340591

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 6.0.14 LTS
Resolved Issue Issue ID

bind9:

CVE-2022-2795

CVE-2022-38177

CVE-2022-38178

cloud-init:

CVE-2022-2084

curl:

CVE-2022-32221

CVE-2022-35252

CVE-2022-43552

dbus:

CVE-2022-42010

CVE-2022-42011

CVE-2022-42012

expat:

CVE-2022-40674

CVE-2022-43680

gmp

CVE-2021-43618

gnutls28:

CVE-2021-4209

CVE-2022-2509

heimdal:

CVE-2018-16860

CVE-2019-12098

CVE-2021-3671

CVE-2021-44758

CVE-2022-3116

CVE-2022-3437

CVE-2022-41916

CVE-2022-42898

CVE-2022-44640

CVE-2022-45142

isc-dhcp:

CVE-2022-2928

CVE-2022-2929

jbigkit:

CVE-2017-9937

krb5:

CVE-2018-20217

CVE-2022-42898

libice:

CVE-2017-2626

libjpeg-turbo:

CVE-2018-11813

CVE-2020-17541

CVE-2020-35538

libksba:

CVE-2022-3515

CVE-2022-47629

libxml2:

CVE-2016-3709

CVE-2022-2309

CVE-2022-40303

CVE-2022-40304

libxpm:

CVE-2022-44617

CVE-2022-46285

CVE-2022-4883

libxslt:

CVE-2019-5815

CVE-2021-30560

linux:

CVE-2021-33655

CVE-2021-33656

CVE-2022-1652

CVE-2022-1679

CVE-2022-1734

CVE-2022-2586

CVE-2022-2588

CVE-2022-2663

CVE-2022-2978

CVE-2022-3028

CVE-2022-3061

CVE-2022-3239

CVE-2022-34918

CVE-2022-3524

CVE-2022-3564

CVE-2022-3565

CVE-2022-3566

CVE-2022-3567

CVE-2022-3594

CVE-2022-3621

CVE-2022-3643

CVE-2022-36946

CVE-2022-40768

CVE-2022-42703

CVE-2022-42896

CVE-2022-43945

CVE-2022-45934

multipath-tools:

CVE-2022-41974

mysql-5.7:

CVE-2022-21515

CVE-2022-21589

CVE-2022-21592

CVE-2022-21608

CVE-2022-21617

CVE-2023-21840

net-snmp:

CVE-2022-24805

CVE-2022-24806

CVE-2022-24807

CVE-2022-24808

CVE-2022-24809

CVE-2022-24810

CVE-2022-4479

CVE-2022-44792

CVE-2022-44793

nginx:

CVE-2022-41741

CVE-2022-41742

open-vm-tools:

CVE-2022-31676

openjdk-8:

CVE-2020-14779

CVE-2020-14781

CVE-2020-14782

CVE-2020-14792

CVE-2020-14796

CVE-2020-14797

CVE-2020-14798

CVE-2020-14803

CVE-2021-35550

CVE-2021-35556

CVE-2021-35559

CVE-2021-35561

CVE-2021-35564

CVE-2021-35565

CVE-2021-35567

CVE-2021-35578

CVE-2021-35586

CVE-2021-35588

CVE-2021-35603

CVE-2022-21248

CVE-2022-21282

CVE-2022-21283

CVE-2022-21293

CVE-2022-21294

CVE-2022-21296

CVE-2022-21299

CVE-2022-21305

CVE-2022-21340

CVE-2022-21341

openjdk-8:

CVE-2022-21349

CVE-2022-21360

CVE-2022-21365

CVE-2022-21426

CVE-2022-21434

CVE-2022-21443

CVE-2022-21476

CVE-2022-21496

CVE-2022-21540

CVE-2022-21541

CVE-2022-21619

CVE-2022-21624

CVE-2022-21626

CVE-2022-21628

CVE-2022-34169

openssl:

CVE-2022-4304

CVE-2022-4450

CVE-2023-0215

CVE-2023-0286

openssl1.0:

CVE-2023-0215

CVE-2023-0286

pam:

CVE-2022-28321

perl:

CVE-2020-16156

php7.2:

CVE-2022-31628

CVE-2022-31629

CVE-2022-31631

CVE-2022-37454

pixman:

CVE-2022-44638

postgresql-10:

CVE-2022-2625

python-future:

CVE-2022-40899

python-setuptools:

CVE-2022-40897

python2.7:

CVE-2022-45061

python3.6:

CVE-2022-45061

rsync:

CVE-2022-37434

shadow:

CVE-2013-4235

sqlite3:

CVE-2020-35525

CVE-2022-35737

strongswan:

CVE-2022-40617

sudo:

CVE-2023-22809

sysstat:

CVE-2022-39377

systemd:

CVE-2022-2526

tiff:

CVE-2020-19131

CVE-2020-19144

CVE-2022-0907

CVE-2022-0908

CVE-2022-0909

CVE-2022-0924

CVE-2022-1355

CVE-2022-2056

CVE-2022-2057

CVE-2022-2058

CVE-2022-22844

CVE-2022-2867

CVE-2022-2868

CVE-2022-2869

CVE-2022-34526

CVE-2022-3570

CVE-2022-3598

CVE-2022-3599

CVE-2022-3970

vim:

CVE-2022-0392

CVE-2022-0943

CVE-2022-1154

CVE-2022-1616

CVE-2022-1619

CVE-2022-1620

CVE-2022-1621

wayland:

CVE-2021-3782

zlib:

CVE-2022-37434

Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation