Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Sessions 6.0.1 - Release Notes

Deprecated features

The following is a list of features that are no longer supported starting with SPS 6.0.

  • X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.

  • DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.

  • The log ingestion feature of SPS has been removed from the product.

Deprecated features between SPS 5.1 and SPS 5.11

The following is a list of features that are no longer supported starting with SPS 6.0.

Caution:

Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SPS.

  2. Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.

  3. Open a ticket at https://support.oneidentity.com/create-service-request/.

  4. Upload the file you downloaded from SPS in Step 1.

  5. We will check the type of your hardware and notify you.

  • Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.

  • SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:

    • You cannot configure SPS if your browser does not support at least TLSv1.

    • If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.

  • Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.

  • Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.

Shorter than 1024-bit SSH keys

Following the upgrade, support for less than 1024-bit SSH keys is lost.

You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.

Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or "Configuring usermapping policies" in the Administration Guide.

Minimum version of encryption protocol for the web UI

The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.

Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.

This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.

Deprecation of RPC API

The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.

Screen content search in sessions indexed by the old Audit Player

It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

Resolved issues

The following is a list of issues addressed in this release.

Table 2: General resolved issues in release 6.0
Resolved Issue Issue ID

bind9:

  • CVE-2018-5743
  • CVE-2019-6471

bzip2:

  • CVE-2019-12900

curl:

  • CVE-2019-5346

db5.3:

  • CVE-2019-8457

dbus:

  • CVE-2019-12749

elfutils:

  • CVE-2018-16062
  • CVE-2018-16402
  • CVE-2018-16403
  • CVE-2018-18310
  • CVE-2018-18520
  • CVE-2018-18521
  • CVE-2019-7149
  • CVE-2019-7150
  • CVE-2019-7665

expat:

  • CVE-2018-20843

ffmpeg:

  • CVE-2018-15822
  • CVE-2019-9718
  • CVE-2019-9721

glib2.0:

  • CVE-2019-12450

gnutls28:

  • CVE-2018-1084
  • CVE-2018-10844
  • CVE-2018-10845
  • CVE-2018-10846
  • CVE-2019-3829

isc-dhcp:

  • CVE-2019-6470

jinja2:

  • CVE-2019-10906

libpng1.6:

  • CVE-2019-7317

libseccomp:

  • CVE-2019-9893

linux:

  • CVE-2017-5715
  • CVE-2017-5753
  • CVE-2017-5754
  • CVE-2018-12126
  • CVE-2018-12127
  • CVE-2018-12130
  • CVE-2018-16884
  • CVE-2018-3620
  • CVE-2018-3639
  • CVE-2018-3646
  • CVE-2019-11478
  • CVE-2019-11479
  • CVE-2019-3874
  • CVE-2019-3882
  • CVE-2019-9500
  • CVE-2019-9503

mysql-5.7:

  • CVE-2019-2566
  • CVE-2019-2581
  • CVE-2019-2592
  • CVE-2019-2614
  • CVE-2019-2627
  • CVE-2019-2628
  • CVE-2019-2632
  • CVE-2019-2683

openjdk-8:

  • CVE-2019-2422
  • CVE-2019-2426
  • CVE-2019-2602
  • CVE-2019-2684
  • CVE-2019-2698

php7.2:

  • CVE-2019-11034
  • CVE-2019-11035
  • CVE-2019-11036
  • CVE-2019-11039
  • CVE-2019-11040
  • CVE-2019-9637
  • CVE-2019-9638
  • CVE-2019-9639
  • CVE-2019-9640
  • CVE-2019-9641
  • CVE-2019-9675

postgresql-10:

  • CVE-2019-10130
  • CVE-2019-10164

python-urllib3:

  • CVE-2018-20060
  • CVE-2019-11236
  • CVE-2019-11324

python2.7:

  • CVE-2018-1000802
  • CVE-2018-14647

qtbase-opensource-src:

  • CVE-2018-15518
  • CVE-2018-19870
  • CVE-2018-19873

samba:

  • CVE-2018-16860

sqlite3:

  • CVE-2018-20346
  • CVE-2018-20505
  • CVE-2018-20506
  • CVE-2019-8457
  • CVE-2019-9936
  • CVE-2019-9937

vim:

  • CVE-2019-12735

Inconsistent merge behaviour in configuration sync

There were some cases, where a validation error occured during configuration synchronization. This has been fixed, and now System Backup is synchronized under Management, too.

PAM-9655

Changing cluster roles may make the product tainted

When changing certain cluster roles, the firmware became tainted. This affected the upgrade process when the definition of a role changed between two releases, resulting in tainted firmware. Now this has been fixed.

PAM-9375

Report generation can produce duplicate reports

If generating a report took more than 30 minutes, it was restarted, causing it to run twice and generate a duplicate report. This has been corrected, now report generation jobs cannot overlap to prevent processing them twice.

PAM-5477

The default number of indexer workers was 16 on a newly installed SPS.

The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers.

PAM-3739

Disk fill-up prevention should always deny incoming connections when limit is reached

Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached.

PAM-10039

System requirements

Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione