Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Sessions 7.5.1 - Release Notes

Deprecated features

Apache lucene database

In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the search database only. The Apache lucene database support is phased out, but the query language remained lucene-like.

After the switch to the search database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.

Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.

For more information, see Searching in the session database with the basic search method in the REST API Reference Guide and Session statistics in the REST API Reference Guide.

Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.

For more information, see Creating search-based report subchapters from search results in the Administration Guide.

Content search option deprecation

On the Sessions page, the Content search option has been deprecated.

Advanced statistics

Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.

During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.

Alternatively, you can use search-based subchapters to query connection metadata. For more information, see Creating search-based report subchapters from search results in the Administration Guide.

User lists

On the Policies page, User lists are allow lists or deny lists of usernames that allow fine-control over who can access a connection or a channel. However, the configuration and the semantics of this policy can be ambiguous. Therefore, One Identity is planning the deprecation and removal of the User lists feature in a future SPS release. If you want to maintain the list of allowed usernames, you can use AD/LDAP groups instead.

NOTE: This feature will be deprecated and removed in a future SPS release. The feature is still available in SPS 7.5.1.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.5.1
Resolved Issue Issue ID

Mouse algorithm baselines can grow too large preventing backup to happen. After this patch, mouse baselines are cleaned up much earlier.

441246

Fixed the issue where event processing could stop after a configuration change.

460598

Fixed CVE-2024-40595. For more information, see the knowledge base article.

339857

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.5.1

Resolved Issue

Issue ID

apparmor:

CVE-2016-1585

bash:

CVE-2022-3715

bind9:

CVE-2023-3341

 

CVE-2023-4236

 

CVE-2023-4408

 

CVE-2023-50387

 

CVE-2023-50868

 

CVE-2023-5517

 

CVE-2023-5679

 

CVE-2024-0760

 

CVE-2024-1737

 

CVE-2024-1975

 

CVE-2024-4076

busybox:

CVE-2022-48174

cpio:

CVE-2015-1197

 

CVE-2023-7207

cups:

CVE-2024-35235

curl:

CVE-2024-2398

 

CVE-2024-7264

expat:

CVE-2023-52425

 

CVE-2024-28757

freerdp2:

CVE-2024-22211

 

CVE-2024-32039

 

CVE-2024-32040

 

CVE-2024-32041

 

CVE-2024-32458

 

CVE-2024-32459

 

CVE-2024-32460

 

CVE-2024-32658

 

CVE-2024-32659

 

CVE-2024-32660

 

CVE-2024-32661

glib2.0:

CVE-2024-34397

glibc:

CVE-2024-2961

 

CVE-2024-33599

 

CVE-2024-33600

 

CVE-2024-33601

 

CVE-2024-33602

gnutls28:

CVE-2024-28834

 

CVE-2024-28835

jinja2:

CVE-2024-34064

klibc:

CVE-2016-9840

 

CVE-2016-9841

 

CVE-2018-25032

 

CVE-2022-37434

krb5:

CVE-2024-37370

 

CVE-2024-37371

less:

CVE-2024-32487

libvpx:

CVE-2024-5197

linux:

CVE-2023-23000

 

CVE-2023-24023

 

CVE-2023-32247

 

CVE-2023-46838

 

CVE-2023-47233

 

CVE-2023-52447

 

CVE-2023-52530

 

CVE-2023-52600

 

CVE-2023-52603

 

CVE-2023-52629

 

CVE-2023-52752

 

CVE-2023-52760

 

CVE-2023-6039

 

CVE-2024-1085

 

CVE-2024-1086

 

CVE-2024-21823

 

CVE-2024-2201

 

CVE-2024-22705

 

CVE-2024-23307

 

CVE-2024-23850

 

CVE-2024-23851

 

CVE-2024-24855

 

CVE-2024-24861

 

CVE-2024-25742

 

CVE-2024-26581

 

CVE-2024-26583

 

CVE-2024-26584

 

CVE-2024-26585

 

CVE-2024-26622

 

CVE-2024-26642

 

CVE-2024-26643

 

CVE-2024-26680

 

CVE-2024-26733

 

CVE-2024-26735

 

CVE-2024-26736

 

CVE-2024-26748

 

CVE-2024-26782

 

CVE-2024-26792

 

CVE-2024-26809

 

CVE-2024-26828

 

CVE-2024-26830

 

CVE-2024-26886

 

CVE-2024-26921

 

CVE-2024-26922

 

CVE-2024-26924

 

CVE-2024-26926

 

CVE-2024-26952

 

CVE-2024-27017

 

CVE-2024-36016

 

CVE-2024-36901

 

CVE-2024-39292

 

CVE-2024-39484

nghttp2:

CVE-2024-28182

nss:

CVE-2022-34480

 

CVE-2023-0767

 

CVE-2023-5388

 

CVE-2023-6135

openjdk-17:

CVE-2023-22025

 

CVE-2023-22081

 

CVE-2023-22091

 

CVE-2023-30589

 

CVE-2024-21011

 

CVE-2024-21012

 

CVE-2024-21068

 

CVE-2024-21094

 

CVE-2024-21131

 

CVE-2024-21138

 

CVE-2024-21140

 

CVE-2024-21145

 

CVE-2024-21147

openssh:

CVE-2024-6387

openssl:

CVE-2022-40735

 

CVE-2024-2511

 

CVE-2024-4603

 

CVE-2024-4741

 

CVE-2024-5535

 

CVE-2024-6119

php8.1:

CVE-2022-4900

 

CVE-2024-2756

 

CVE-2024-3096

 

CVE-2024-5458

pillow:

CVE-2024-28219

postgresql-14:

CVE-2024-4317

 

CVE-2024-7348

python-idna:

CVE-2024-3651

python-zipp:

CVE-2024-5569

python3.10:

CVE-2023-6597

 

CVE-2024-0397

 

CVE-2024-0450

 

CVE-2024-4032

sqlparse:

CVE-2024-4340

strongswan:

CVE-2022-4967

tiff:

CVE-2023-3164

util-linux:

CVE-2022-0563

 

CVE-2024-28085

vim:

CVE-2023-2426

 

CVE-2024-22667

 

CVE-2024-41957

 

CVE-2024-43374

wget:

CVE-2024-38428

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

The api/audit/sessions endpoint cannot return fields of complex objects nested in lists.

When the api/audit/sessions endpoint receives a query where the fields parameter is provided with list type fields, then these fields will be missing from the response, for example: vault.reviewed.* and vault.approved.*.

Search-based subchapters present some data as missing, regardless of their actual status.

When trying to create a report with subchapters that include the fields listed below, n/a will be presented in the report for these fields, even if data is stored in the database for those fields.

Known affected fields:

  • Reviewed user id

  • Reviewed user name

  • Reviewed domain name

  • Reviewed user display name

  • Reviewed client ip address

  • Reviewed comment

  • Reviewed timestamp

  • Approved user id

  • Approved user name

  • Approved domain name

  • Approved user display name

  • Approved client ip address

  • Approved comment

  • Approved timestamp

Caution:

From SPS 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.5.1.

Upgrade as follows

  1. Perform the upgrade to 7.0 LTS with your current license.

  2. Update your SPS license to 7.0 LTS.

For a new SPS license, contact our Licensing Team.

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see Verifying certificates with Certificate Authorities using trust stores in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

Table 4: General known issues
Known Issue Issue ID

External indexer disconnected due to certificates expiry.

You are only affected by this issue if you have enabled external indexing while running SPS version 6.0.4 or 6.4.0 or later where the external indexer certificates were created with a limit of 800 days.

To resolve this issue, see External indexer disconnected due to certificates expiry (4368875) (oneidentity.com).

PAM-16883

System requirements

Before installing SPS 7.5.1, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione