サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Sessions 7.5 - Release Notes

Deprecated features

Apache lucene database

In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the search database only. The Apache lucene database support is phased out, but the query language remained lucene-like.

After the switch to the search database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.

Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.

For more information, see Searching in the session database with the basic search method in the REST API Reference Guide and Session statistics in the REST API Reference Guide.

Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.

For more information, see Creating search-based report subchapters from search results in the Administration Guide.

Content search option deprecation

On the Sessions page, the Content search option has been deprecated.

Advanced statistics

Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.

During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.

Alternatively, you can use search-based subchapters to query connection metadata. For more information, see Creating search-based report subchapters from search results in the Administration Guide.

User lists

On the Policies page, User lists are allow lists or deny lists of usernames that allow fine-control over who can access a connection or a channel. However, the configuration and the semantics of this policy can be ambiguous. Therefore, One Identity is planning the deprecation and removal of the User lists feature in a future SPS release. If you want to maintain the list of allowed usernames, you can use AD/LDAP groups instead.

NOTE: This feature will be deprecated and removed in a future SPS release. The feature is still available in SPS 7.5.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.5
Resolved Issue Issue ID

When adding a subchapter to a report, the 'Restbased Subchapters' group is now properly named 'Search-based Subchapters'.

447621

Fixed the DNS resolution timeout problem.

Previously, when SPS tried to resolve a domain name and the DNS server was unresponsive, SPS waited for too long to time out. This has been fixed, and now the timeouts are correctly enforced when resolving domain names.

418170

Fixed authentication can be blocked by other users issue.

SPS worked in a way that the authentication and authorization attempts of a user could possibly block the authentication of other users. This limitation did not cause problems while the authentication or authorization were performed nearly instantaneously. However, if the process was waiting for the slow response of a remote AD/LDAP or RADIUS server, then every authentication request of other users was blocked too. This was especially noticeable when the remote server was overloaded or when it was waiting for some interaction with the user (for example, MFA), and in this case, users might have experienced slow page load times or authentication timeout errors.

This issue was fixed, and now the authentication attempts are performed concurrently. Note that although remote resource consumption manifests in parallel authentication requests, these can still be slow when the remote resources are overloaded.

420845

When editing a previously committed RADIUS login option, the RADIUS server's edit, add, or delete functionality now triggers the Save button of the login options sidesheet.

432762

Long-running background jobs could trigger an xcbInitSystemUnitFailed alert due to an automatic service restart by the internal message queue. The restart is handled gracefully by the runner of the background jobs, but the monitoring system will display the xcbInitSystemUnitFailed alerts.

The unwanted service restart issue has been fixed.

438684

Fixed RDP crashing during server authentication if the SPNEGO response contains only an error code.

The server responded with a vendor-specific error code (HResult 80090302: unsupported function) only in the SPNEGO response, which format was not expected by SPS.

This has been fixed, and SPS now properly handles such responses.

439931

The SSH Control > Options page only allowed uploading or deleting the Kerberos keytab for the local administrator, even when other users were granted write and perform access to this page.

This has been fixed, and now all users with the proper access permissions can upload and delete the keytab.

442599

Double-clicking the No policy button on the preview cleanup policy page now properly inverts the selection, even if only one policy is added.

447020

When trying to commit changes that included the deletion of a subchapter that is referenced in a report either under Reporting > Create & Manage Reports or via the REST API, SPS displayed an error with an ambiguous error message: "The referenced subchapter 'subchapter-id' does not exist.".

This has been fixed so that when deleting a subchapter, SPS checks whether the subchapter is referenced in a report, and if so, it will immediately display an error with a meaningful error message indicating that the subchapter is referenced in a report and that it should be unreferenced first.

393727

Fixed the Remote Desktop Gateway packet overload can cause an out-of-memory crash issue.

If the RDP proxy acts as a Desktop Gateway, it caches packets temporarily when the client is unable to consume them. In cases of heavy and permanent packet loads, this cache could increase until the resource limit is reached.

This has been fixed, and the buffer is now involved in the flow control decision.

340013

A strict hostname check was ignored for certificates protecting HTTP, MSSQL, Telnet, and VNC connections.

When using HTTP, MSSQL, Telnet, and VNC connections with TLS server-side certificate validation enabled and only accepting certificates authenticated by a trusted CA list with the Strict hostname check option enabled, the previous versions of SPS did not validate whether the common name field of the server certificate contained the server's IP address or domain name.

This has been fixed, and SPS now correctly enforces the Strict hostname check option.

340142

There were only 3 time ranges previously:

  • Hour: if the time range was shorter than / equal to a day.

  • Day: if the time range was shorter than / equal to 30 days.

  • Month: if the time range was longer than 30 days.

A new time range (week) has been introduced, and the time period distributions have changed to the following:

  • Hour: if the time range is shorter than / equal to a day.

  • Day: if the time range is shorter than / equal to 14 days.

  • Week: if the time range is shorter than / equal to 12 weeks.

  • Month: if the time range is longer than 14 weeks.

Columns containing 0 items are also presented.

340221

Typing spaces and HTML tags to the quick search input no longer breaks the suggestion layout text.

431674

By fixing the issue, if we encounter an issue while creating a new SAML2 login method, we display a more specific error message instead of a generic one.

427645

When creating or editing an audit data cleanup policy, the sidesheets show the backend validation for the query field properly.

427772

When you create a new audit data cleanup policy, it will be selected in the page preview automatically.

427963

CSRF protection for the SPS REST API was optional. With this fix, SPS will force CSRF protection if the User-Agent refers to a browser.

428406

Due to an error during plugin API check, plugins with two-digit plugin API versions (for example, 1.7) could not be uploaded. The version check is fixed and the two-digit API version can be used from now on.

441702

On the analytics page of a session, all window title chips/pills were displayed in green. This is fixed and now each of them is displayed in the corresponding color to represent the user behavior correctly.

446474

When generating a report that includes content subchapters either from the SPS UI or via the SPS REST API, if approximately more than 1000 sessions matched the content query, report generation could fail.

When generating reports that include content subchapters, Reporting collects sessions that match the content query. For each session, a QR code image is generated in temporary files that are embedded in the generated PDF file. Unfortunately, file descriptors had not been closed properly for these temporary files. As a result, if there were so many sessions matching the content query that the number of open file descriptors exceeded the operation system's limit, report generation failed and the following backtrace was written in the /var/log/messages log file: "ERROR OSError: [Errno 24] Too many open files.".

This issue has been fixed by making sure that file descriptors are properly closed.

431434

When the user used the Automatically update session data on the Sessions page toggle, the Save button was not working on the User preferences UI.

This issue has been fixed.

432800

When the SPS appliance was run as an Azure virtual machine, the boot firmware became tainted while upgrading to version 7.4. This necessitated applying a hotfix before further upgrades could be performed.

This issue has been fixed.

437840

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.5

Resolved Issue

Issue ID

avahi:

CVE-2023-38469

 

CVE-2023-38470

 

CVE-2023-38471

 

CVE-2023-38472

 

CVE-2023-38473

bind9:

CVE-2023-2828

 

CVE-2023-2911

 

CVE-2023-3341

 

CVE-2023-4408

 

CVE-2023-50387

 

CVE-2023-50868

 

CVE-2023-5517

 

CVE-2023-5679

curl:

CVE-2023-38545

 

CVE-2023-38546

 

CVE-2023-46218

freerdp2:

CVE-2022-41877

 

CVE-2023-39350

 

CVE-2023-39351

 

CVE-2023-39352

 

CVE-2023-39353

 

CVE-2023-39354

 

CVE-2023-39356

 

CVE-2023-40181

 

CVE-2023-40186

 

CVE-2023-40188

 

CVE-2023-40567

 

CVE-2023-40569

 

CVE-2023-40589

glibc:

CVE-2023-4806

 

CVE-2023-4813

 

CVE-2023-4911

 

CVE-2023-5156

gnutls28:

CVE-2023-5981

 

CVE-2024-0553

 

CVE-2024-0567

jinja2:

CVE-2024-22195

krb5:

CVE-2023-36054
less: CVE-2022-48624

libssh:

CVE-2023-48795

 

CVE-2023-6004

 

CVE-2023-6918
libuv1: CVE-2024-24806

libvpx:

CVE-2023-44488

 

CVE-2023-5217

libx11:

CVE-2023-43785

 

CVE-2023-43786

 

CVE-2023-43787
libxml2: CVE-2024-25062

libxpm:

CVE-2023-43786

 

CVE-2023-43787

 

CVE-2023-43788

 

CVE-2023-43789

linux:

CVE-2023-1206

 

CVE-2023-20569

 

CVE-2023-20588

 

CVE-2023-25775

 

CVE-2023-31083

 

CVE-2023-31085

 

CVE-2023-32252

 

CVE-2023-34319

 

CVE-2023-37453

 

CVE-2023-3772

 

CVE-2023-3863

 

CVE-2023-39189

 

CVE-2023-39192

 

CVE-2023-39193

 

CVE-2023-40283

 

CVE-2023-4128

 

CVE-2023-4155

 

CVE-2023-4194

 

CVE-2023-4244

 

CVE-2023-4273

 

CVE-2023-42752

 

CVE-2023-42753

 

CVE-2023-42754

 

CVE-2023-42755

 

CVE-2023-42756

 

CVE-2023-4569

 

CVE-2023-45871

 

CVE-2023-4622

 

CVE-2023-4623

 

CVE-2023-46813

 

CVE-2023-4881

 

CVE-2023-4921

 

CVE-2023-5158

 

CVE-2023-5178

 

CVE-2023-51780

 

CVE-2023-51781

 

CVE-2023-5197

 

CVE-2023-5717

 

CVE-2023-6039

 

CVE-2023-6040

 

CVE-2023-6111

 

CVE-2023-6176

 

CVE-2023-6606

 

CVE-2023-6622

 

CVE-2023-6817

 

CVE-2023-6915

 

CVE-2023-6931

 

CVE-2023-6932

 

CVE-2024-0193

 

CVE-2024-0565

 

CVE-2024-0646

nghttp2:

CVE-2023-44487

open-vm-tools:

CVE-2023-20867

 

CVE-2023-20900

 

CVE-2023-34058

 

CVE-2023-34059

openjdk-17:

CVE-2023-22025

 

CVE-2023-22081

 

CVE-2023-22091

 

CVE-2023-30585

 

CVE-2023-30588

 

CVE-2023-30589

 

CVE-2023-30590

openldap:

CVE-2023-2953

openssh:

CVE-2023-28531

 

CVE-2023-48795

 

CVE-2023-51384

 

CVE-2023-51385

openssl:

CVE-2023-2975

 

CVE-2023-3446

 

CVE-2023-3817

 

CVE-2023-5363

 

CVE-2023-5678

 

CVE-2023-6129

 

CVE-2023-6237

 

CVE-2024-0727

pam:

CVE-2024-22365

perl:

CVE-2022-48522

 

CVE-2023-47038

pillow:

CVE-2023-44271

 

CVE-2023-50447

postfix:

CVE-2023-51764

postgresql-14:

CVE-2023-5868

 

CVE-2023-5869

 

CVE-2023-5870
  CVE-2024-0985

procps:

CVE-2023-4016

pycryptodome:

CVE-2023-52323

python-cryptography:

CVE-2023-23931

 

CVE-2023-49083

python-urllib3:

CVE-2023-43804

 

CVE-2023-45803

python3.10:

CVE-2023-40217

rabbitmq-server:

CVE-2023-46118

samba:

CVE-2023-4091

 

CVE-2023-4154

 

CVE-2023-42669

shadow:

CVE-2023-4641

sqlite3:

CVE-2022-46908

 

CVE-2023-7104

strongswan:

CVE-2023-41913

tar:

CVE-2023-39804

tiff:

CVE-2022-40090

 

CVE-2023-1916

 

CVE-2023-3576
  CVE-2023-52356
  CVE-2023-6228
  CVE-2023-6277

vim:

CVE-2022-1725

 

CVE-2022-1771

 

CVE-2022-1886

 

CVE-2022-1897

 

CVE-2022-2000

 

CVE-2022-2042

 

CVE-2022-3234

 

CVE-2022-3235

 

CVE-2022-3256

 

CVE-2022-3278

 

CVE-2022-3297

 

CVE-2022-3324

 

CVE-2022-3352

 

CVE-2022-3491

 

CVE-2022-3520

 

CVE-2022-3591

 

CVE-2022-3705

 

CVE-2022-4292

 

CVE-2022-4293

 

CVE-2023-46246

 

CVE-2023-4733

 

CVE-2023-4734

 

CVE-2023-4735

 

CVE-2023-4750

 

CVE-2023-4751

 

CVE-2023-4752

 

CVE-2023-4781

 

CVE-2023-48231

 

CVE-2023-48233

 

CVE-2023-48234

 

CVE-2023-48235

 

CVE-2023-48236

 

CVE-2023-48237

 

CVE-2023-48706

 

CVE-2023-5344

 

CVE-2023-5441

 

CVE-2023-5535

yajl:

CVE-2017-16516

 

CVE-2022-24795

 

CVE-2023-33460

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

The api/audit/sessions endpoint cannot return fields of complex objects nested in lists.

When the api/audit/sessions endpoint receives a query where the fields parameter is provided with list type fields, then these fields will be missing from the response, for example: vault.reviewed.* and vault.approved.*.

Search-based subchapters present some data as missing, regardless of their actual status.

When trying to create a report with subchapters that include the fields listed below, n/a will be presented in the report for these fields, even if data is stored in the database for those fields.

Known affected fields:

  • Reviewed user id

  • Reviewed user name

  • Reviewed domain name

  • Reviewed user display name

  • Reviewed client ip address

  • Reviewed comment

  • Reviewed timestamp

  • Approved user id

  • Approved user name

  • Approved domain name

  • Approved user display name

  • Approved client ip address

  • Approved comment

  • Approved timestamp

Caution:

After upgrading to version 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.0 LTS.

Upgrade as follows:

  1. Perform the upgrade to 7.0 LTS with your current license.

  2. Update your SPS license to 7.0 LTS.

For a new SPS license for 7.0 LTS, contact our Licensing Team.

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see Verifying certificates with Certificate Authorities using trust stores in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

Table 4: General known issues
Known Issue Issue ID

External indexer disconnected due to certificates expiry.

You are only affected by this issue if you have enabled external indexing while running SPS version 6.0.4 or 6.4.0 or later where the external indexer certificates were created with a limit of 800 days.

To resolve this issue, see External indexer disconnected due to certificates expiry (4368875) (oneidentity.com).

PAM-16883

System requirements

Before installing SPS 7.5, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択