Apache lucene database
In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the search database only. The Apache lucene database support is phased out, but the query language remained lucene-like.
After the switch to the search database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.
Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.
For more information, see Searching in the session database with the basic search method in the REST API Reference Guide and Session statistics in the REST API Reference Guide.
Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.
For more information, see Creating search-based report subchapters from search results in the Administration Guide.
Content search option deprecation
On the Sessions page, the Content search option has been deprecated.
Advanced statistics
Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.
During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.
Alternatively, you can use search-based subchapters to query connection metadata. For more information, see Creating search-based report subchapters from search results in the Administration Guide.
User lists
On the Policies page, User lists are allow lists or deny lists of usernames that allow fine-control over who can access a connection or a channel. However, the configuration and the semantics of this policy can be ambiguous. Therefore, One Identity is planning the deprecation and removal of the User lists feature in a future SPS release. If you want to maintain the list of allowed usernames, you can use AD/LDAP groups instead.
NOTE: This feature will be deprecated and removed in a future SPS release. The feature is still available in SPS 7.5.1.
The following is a list of issues addressed in this release.
Table 1: General resolved issues in release 7.5.1
Mouse algorithm baselines can grow too large preventing backup to happen. After this patch, mouse baselines are cleaned up much earlier. |
441246 |
Fixed the issue where event processing could stop after a configuration change. |
460598 |
Fixed CVE-2024-40595. For more information, see the knowledge base article. |
339857 |
Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.5.1
apparmor: |
CVE-2016-1585 |
bash: |
CVE-2022-3715 |
bind9: |
CVE-2023-3341 |
|
CVE-2023-4236 |
|
CVE-2023-4408 |
|
CVE-2023-50387 |
|
CVE-2023-50868 |
|
CVE-2023-5517 |
|
CVE-2023-5679 |
|
CVE-2024-0760 |
|
CVE-2024-1737 |
|
CVE-2024-1975 |
|
CVE-2024-4076 |
busybox: |
CVE-2022-48174 |
cpio: |
CVE-2015-1197 |
|
CVE-2023-7207 |
cups: |
CVE-2024-35235 |
curl: |
CVE-2024-2398 |
|
CVE-2024-7264 |
expat: |
CVE-2023-52425 |
|
CVE-2024-28757 |
freerdp2: |
CVE-2024-22211 |
|
CVE-2024-32039 |
|
CVE-2024-32040 |
|
CVE-2024-32041 |
|
CVE-2024-32458 |
|
CVE-2024-32459 |
|
CVE-2024-32460 |
|
CVE-2024-32658 |
|
CVE-2024-32659 |
|
CVE-2024-32660 |
|
CVE-2024-32661 |
glib2.0: |
CVE-2024-34397 |
glibc: |
CVE-2024-2961 |
|
CVE-2024-33599 |
|
CVE-2024-33600 |
|
CVE-2024-33601 |
|
CVE-2024-33602 |
gnutls28: |
CVE-2024-28834 |
|
CVE-2024-28835 |
jinja2: |
CVE-2024-34064 |
klibc: |
CVE-2016-9840 |
|
CVE-2016-9841 |
|
CVE-2018-25032 |
|
CVE-2022-37434 |
krb5: |
CVE-2024-37370 |
|
CVE-2024-37371 |
less: |
CVE-2024-32487 |
libvpx: |
CVE-2024-5197 |
linux: |
CVE-2023-23000 |
|
CVE-2023-24023 |
|
CVE-2023-32247 |
|
CVE-2023-46838 |
|
CVE-2023-47233 |
|
CVE-2023-52447 |
|
CVE-2023-52530 |
|
CVE-2023-52600 |
|
CVE-2023-52603 |
|
CVE-2023-52629 |
|
CVE-2023-52752 |
|
CVE-2023-52760 |
|
CVE-2023-6039 |
|
CVE-2024-1085 |
|
CVE-2024-1086 |
|
CVE-2024-21823 |
|
CVE-2024-2201 |
|
CVE-2024-22705 |
|
CVE-2024-23307 |
|
CVE-2024-23850 |
|
CVE-2024-23851 |
|
CVE-2024-24855 |
|
CVE-2024-24861 |
|
CVE-2024-25742 |
|
CVE-2024-26581 |
|
CVE-2024-26583 |
|
CVE-2024-26584 |
|
CVE-2024-26585 |
|
CVE-2024-26622 |
|
CVE-2024-26642 |
|
CVE-2024-26643 |
|
CVE-2024-26680 |
|
CVE-2024-26733 |
|
CVE-2024-26735 |
|
CVE-2024-26736 |
|
CVE-2024-26748 |
|
CVE-2024-26782 |
|
CVE-2024-26792 |
|
CVE-2024-26809 |
|
CVE-2024-26828 |
|
CVE-2024-26830 |
|
CVE-2024-26886 |
|
CVE-2024-26921 |
|
CVE-2024-26922 |
|
CVE-2024-26924 |
|
CVE-2024-26926 |
|
CVE-2024-26952 |
|
CVE-2024-27017 |
|
CVE-2024-36016 |
|
CVE-2024-36901 |
|
CVE-2024-39292 |
|
CVE-2024-39484 |
nghttp2: |
CVE-2024-28182 |
nss: |
CVE-2022-34480 |
|
CVE-2023-0767 |
|
CVE-2023-5388 |
|
CVE-2023-6135 |
openjdk-17: |
CVE-2023-22025 |
|
CVE-2023-22081 |
|
CVE-2023-22091 |
|
CVE-2023-30589 |
|
CVE-2024-21011 |
|
CVE-2024-21012 |
|
CVE-2024-21068 |
|
CVE-2024-21094 |
|
CVE-2024-21131 |
|
CVE-2024-21138 |
|
CVE-2024-21140 |
|
CVE-2024-21145 |
|
CVE-2024-21147 |
openssh: |
CVE-2024-6387 |
openssl: |
CVE-2022-40735 |
|
CVE-2024-2511 |
|
CVE-2024-4603 |
|
CVE-2024-4741 |
|
CVE-2024-5535 |
|
CVE-2024-6119 |
php8.1: |
CVE-2022-4900 |
|
CVE-2024-2756 |
|
CVE-2024-3096 |
|
CVE-2024-5458 |
pillow: |
CVE-2024-28219 |
postgresql-14: |
CVE-2024-4317 |
|
CVE-2024-7348 |
python-idna: |
CVE-2024-3651 |
python-zipp: |
CVE-2024-5569 |
python3.10: |
CVE-2023-6597 |
|
CVE-2024-0397 |
|
CVE-2024-0450 |
|
CVE-2024-4032 |
sqlparse: |
CVE-2024-4340 |
strongswan: |
CVE-2022-4967 |
tiff: |
CVE-2023-3164 |
util-linux: |
CVE-2022-0563 |
|
CVE-2024-28085 |
vim: |
CVE-2023-2426 |
|
CVE-2024-22667 |
|
CVE-2024-41957 |
|
CVE-2024-43374 |
wget: |
CVE-2024-38428 |
The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.
Table 3: General known issues
The api/audit/sessions endpoint cannot return fields of complex objects nested in lists.
When the api/audit/sessions endpoint receives a query where the fields parameter is provided with list type fields, then these fields will be missing from the response, for example: vault.reviewed.* and vault.approved.*. |
Search-based subchapters present some data as missing, regardless of their actual status.
When trying to create a report with subchapters that include the fields listed below, n/a will be presented in the report for these fields, even if data is stored in the database for those fields.
Known affected fields:
-
Reviewed user id
-
Reviewed user name
-
Reviewed domain name
-
Reviewed user display name
-
Reviewed client ip address
-
Reviewed comment
-
Reviewed timestamp
-
Approved user id
-
Approved user name
-
Approved domain name
-
Approved user display name
-
Approved client ip address
-
Approved comment
-
Approved timestamp |
|
Caution:
From SPS 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.5.1.
Upgrade as follows
-
Perform the upgrade to 7.0 LTS with your current license.
-
Update your SPS license to 7.0 LTS.
For a new SPS license, contact our Licensing Team. | |
TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:
-
For the minimum TLS version, select TLS version 1.2.
-
For the maximum TLS version, select TLS version 1.3.
For more information, see Verifying certificates with Certificate Authorities using trust stores in the Administration Guide. |
The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly. |
Report generation may fail if a report subchapter references a connection policy that has been deleted previously.
SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.
For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.
This affects scheduled report generation as well. |
Before installing SPS 7.5.1, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:
NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.