Chat now with support
지원 담당자와 채팅

One Identity Safeguard for Privileged Sessions 6.2.0 - Release Notes

Enhancements

The following is a list of enhancements implemented in SPS 6.2.

Table 1: General enhancements
Enhancement Issue ID

When storing hostnames and fully-qualified domain names in Channel policies, you can now configure SPS to use a custom domain name server to resolve the hostnames. For details, see "Creating and editing channel policies" in the Administration Guide.

 

You can verify the integrity of the plugins uploaded to SPS from the web interface.

 

Enabling debug logging now does not automatically increase the verbosity level of the logs related to the audited network traffic. For details, see "Collecting logs and system information for error reporting" in the Administration Guide.

 

Resolved issues

The following is a list of issues addressed in this release.

Table 2: General resolved issues in release 6.2
Resolved Issue Issue ID

Security package updates

bind9:

  • CVE-2019-6471

bzip2:

  • CVE-2019-12900

expat:

  • CVE-2018-20843

glib2.0:

  • CVE-2019-13012

libmspack:

  • CVE-2019-1010305

linux:

  • CVE-2018-12126

  • CVE-2018-12127

  • CVE-2018-12130

  • CVE-2019-11085

  • CVE-2019-11091

  • CVE-2019-11478

  • CVE-2019-11479

  • CVE-2019-11815

  • CVE-2019-11833

  • CVE-2019-11884

mysql-5.7:

  • CVE-2019-2737

  • CVE-2019-2738

  • CVE-2019-2739

  • CVE-2019-2740

  • CVE-2019-2741

  • CVE-2019-2757

  • CVE-2019-2758

  • CVE-2019-2774

  • CVE-2019-2778

  • CVE-2019-2791

  • CVE-2019-2797

  • CVE-2019-2805

  • CVE-2019-2819

nss:

  • CVE-2019-11719

  • CVE-2019-11729

openjdk-8:

  • CVE-2019-2745

  • CVE-2019-2762

  • CVE-2019-2766

  • CVE-2019-2769

  • CVE-2019-2786

  • CVE-2019-2816

  • CVE-2019-2842

  • CVE-2019-7317

openldap:

  • CVE-2019-13057

  • CVE-2019-13565

openssl:

  • CVE-2018-0732

  • CVE-2018-0735

  • CVE-2018-0737

  • CVE-2019-1543

patch:

  • CVE-2019-13636

  • CVE-2019-13638

postgresql-10:

  • CVE-2019-10164

  • CVE-2019-10208

python2.7:

  • CVE-2018-1000802

  • CVE-2018-14647

redis:

  • CVE-2019-10192

sqlite3:

  • CVE-2018-20346

  • CVE-2018-20505

  • CVE-2018-20506

  • CVE-2019-8457

  • CVE-2019-9936

  • CVE-2019-9937

vim:

  • CVE-2019-12735

walinuxagent:

  • CVE-2019-0804

PAM-10817

Ignore the actual result of the whoami request when checking the availability of an LDAP server

To check the availability of an LDAP server, SPS performs a "who am I" query against that server. If that query was disabled on the server, SPS treated the response as a sign of the server being down, even if it was handling other requests properly. This behavior has been changed and SPS now only checks if the server responds at all.

PAM-10729

Low idle timeouts on LDAP servers not handled correctly

SPS did not correctly handle if an LDAP server closed idle sessions after less than 600 seconds. After this fix, idle timeout settings above 120s work correctly.

PAM-10674

Connection data backup not available in the console menu

It is possible to manually initiate a backup process from the menu accessible via SSH or the appliance console. Due to a bug, only the system backup option was available there and the option to backup data associated with connection policies (such as audit trails) was not. This is now fixed and all backup options are available again.

PAM-10576

Login page can redirect to arbitrary external sites

To streamline the login process, SPS was able to redirect the user to the site they originally wanted to access after a successful login. However, this feature also redirected the user to any URL if the login page was accessed through a properly crafted link. This made phishing attacks against the administrators of SPS easier, so the login page now only redirects to URLs on SPS itself.

PAM-10560

On an extremely overloaded machine, the OCR scanning (indexing) process could crash

When the machine was so overloaded that the connection between the process that controls the OCR scanning and indexing operation (indexerworker) and the process doing the computation (indexerservice) was lost, the worker process tried to abort the processing but crashed. The index job might be finished successfully later. The problem was fixed and the worker process now handles this outage correctly.

PAM-10547

Disk fill-up prevention should always deny incoming connections when limit is reached

Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached.

PAM-10510

Session verdict is 'auth-fail' after a failed gateway authentication attempt even if it succeeds after a retry

If the user enters a wrong password or the gateway authentication attempt failed for another reason, the "verdict" for that session on the search interface remained "auth-failed", even if a second attempt was offered for the user and that succeeded. This logic is now fixed and the final authentication decision is used to decide the verdict of the session.

PAM-10509

Console menu does not timeout

As a side-effect of an unrelated change, the console menu did not log off idle users after a timeout. This is now fixed and idle sessions are properly terminated.

PAM-10441

Transferring files over 4GB not possible over RDP disk redirection

Files over 4GB transfers via RDP disk redirection over SPS got corrupted. This is now fixed and both download and upload of larger files is possible.

PAM-10418

indexer-service cannot be reloaded multiple times within a short time

Reloading indexer-service occasionally returned with a false error message, even though it was actually reloaded. However, if you attempted to reload it again within a short time (within in ~3 seconds), the reload failed.

PAM-10355

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

Search interface easier to use on smaller displays

Some of the controls on the search interface were difficult to use on displays with less than 1480 horizontal pixels. The design was made more responsive to accomodate for smaller displays, too.

PAM-10285

RDP connection problems with certain client applications

If the client did not send a cookie when establishing the initial connection to SPS, SPS sent an invalid cookie to the target server, causing the server to terminate the connection. This has been corrected.

PAM-10284

The /api/active-sessions endpoint responds with Internal Server Error (500)

The /api/active-sessions endpoint could respond only with Internal Server Error (500) in case of an error during DELETE. From now on the /api/active-sessions endpoint can respond with Not Found Error (404) if the given session id is not found in the list of active sessions.

PAM-10281

Removed deprecated and duplicate fields from the search interface

Many no longer used or duplicate fields were offered in the selectors on the search interface which made them difficult to use. That list was reviewed and now only relevant fields are available to be selected.

PAM-10175

Disk fill-up prevention should always deny incoming connections when limit is reached

Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached.

PAM-10039

Prevent joining SPS nodes running different firmware versions to a cluster

Configuration (and cluster state) synchronization may not work if the Central Management and other cluster nodes are running different versions of SPS. In order to avoid possible misconfiguration, product version compatibility will now be validated during joining nodes to an SPS cluster.

PAM-10020

Improved error detection of Elasticsearch database for audit information

If the Elasticsearch instance that acts as a backend for the audit database failed to start for some reason, it kept retrying (and failing) and never notified the user about the problem. The problem has been fixed and such problems are properly escalated.

PAM-10018

Indexing status does not change on UI after successfully reindexing a failed session

If indexing of an audit trail failed for some reason and reindexing was triggered manually, the status of indexing was never updated on the UI even if reindexing was successful. This has been fixed and the latest and correct indexing status is shown in the interface at all times.

PAM-9753

Stopping more data-producing processes when disk fillup prevention is triggered

The disk fillup prevention feature in SPS proactively stops traffic passing through if this usage reaches a predefined threshold to avoid more severe errors caused by the disk being filled up completely. Besides ongoing traffic there are several services that also produce data, which are now also stopped, providing further protection.

PAM-8012

The default number of indexer workers was 16 on a newly installed SPS.

The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers.

PAM-3739

System requirements

Before installing SPS 6.2, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

Supported web browsers and operating systems

Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

NOTE:

SPS displays a warning message if your browser is not supported or JavaScript is disabled.

NOTE:

The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.

Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

관련 문서