|
|
NOTE: CVE-2021-44228, also named Log4Shell, is a Remote Code Execution (RCE) class vulnerability. The Apache Log4j library has been updated to version 2.17.1; therefore, SPS is protected against CVE-2021-44228 and against the following related vulnerabilities:
|
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
SSH connections fail when the SHA1-based ssh-rsa host key algorithm is disabled on the client or on the server. SSH connections going through SPS 6.0.12 fail when the client or the server disables the SHA1-based ssh-rsa host key algorithm. The message "Unable to find a matching kex or host key algorithm" is logged in the system log. The cause of this issue was that the latest SSH software disabled the insecure ssh-rsa host key algorithm by default, which was the only algorithm supported by SPS. This issue has been fixed by adding support for the more secure SHA2-based rsa host key algorithms. SPS now offers the rsa-sha2-512, rsa-sha2-256 and ssh-rsa host key algorithms, in this order. |
PAM-15628 |
|
SPP detects that SPS is unavailable. The possible reason is that when SPP checks the "configuration_sync" field of the response from /api/cluster/status/<node-id> SPS does not fill out the "configuration_sync" field for the `central-management` node. Now SPS fills out the "configuration_sync" field for the `central-management` node as an `up-to-date` node. |
PAM-15404 |
|
Due to an internal error, the local user could not change its own password. Now the local user can change its own password. |
PAM-15293 |
|
Due to an unclean shutdown, the postgresql can not be upgraded. Fixed issue by making the postgresql upgrade more robust. |
PAM-15253 |
|
Due to an unexpected side effect of a change in SPS versions 6.10.0 and 6.0.10, the AWS images were accidentally shipped with a hard-coded node ID. This prevented SPS nodes hosted on AWS from being able to join a cluster, and also the backup and the archival of the different nodes might have resulted in overwritten files. Amazon images now come with a fixed node ID. The problem was fixed by changing the way the initial node ID was generated. Note that the node ID of existing installations are not changed, because the node ID change drops the node out of a management cluster and makes the previous archives and backups unavailable. Only the Amazon deployments were affected, the node ID on any other platforms has always been generated correctly on the first boot. |
PAM-15192 |
|
The validation of proxy settings name differed on the REST API and on the Web UI. The validation has been synchronized and invalid proxy settings cannot be set anymore on the REST API. The cause of this issue was that REST API allowed '.' and '-' characters in the name of proxy settings, which resulted in an invalid configuration. |
PAM-15042 |
|
Incorrect handling of Remote Desktop Protocol (RDP) Dynamic Virtual Channels (DVCs). Due to the incorrect handling of DVCs which were rejected by the client or denied by policy, any of the following could occur, depending on the configuration:
DVCs denied by policy or rejected by the client are now evaluated and recorded correctly. The Remote Desktop Protocol allows the use of DVCs, which may be opened and closed by the server anytime during an RDP connection, and the client is free to accept or reject such channels. In SPS, it is possible to define channel policy decisions for these DVCs. For example, it is possible to selectively allow or deny such channels based on their names, or to enable auditing for only some of them. |
PAM-14941 |
|
The log did not display properly the details of an ES failure. The log now contains the details of the ES failures. When the user navigates to Basic Settings/Management/System backup and clicks on Backup now, a backup process is started. During this backup, an ES backup is also created. If the ES backup returned multiple errors (for example, not allocated primary shard), the log contained an "array" string, instead of the detailed failure reason. |
PAM-12526 |
