Chat now with support
Chat with Support

Safeguard for Privileged Sessions On Demand Hosted - Release Notes

Deprecated features

Apache Lucene database

Starting from SPS 7.0 LTS, One Identity plans to modify the search for screen content in session data to use the Elasticsearch database only. The current Apache Lucene database support will be phased out, but the query language will remain Lucene-like.

After the switch to the Elasticsearch database, you will be able to access content stored in an Apache Lucene database only if you regenerate the content with the reindex tool.

Splunk forwarder

The Splunk forwarder is deprecated as of SPS 6.7 and is now removed. One Identity recommends using the universal SIEM forwarder instead.

Web interface

The /api/configuration/management/webinterface endpoint is deprecated as of SPS 6.13 and is now removed. One Identity recommends using the webinterface_timeout parameter of the /api/configuration/aaa/settings endpoint instead.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.13.1
Resolved Issue Issue ID

Audit trail writer error can cause all connections to terminate.

When auditing was enabled for a connection, but an error occurred during audit trail writing, incorrect error handling could cause all connections of the same protocol to terminate. In this case, the error message "Failed to write record with audit trail writer service;" was written to the system log.

The error handling has been fixed: the audit failure now only causes the affected connection to terminate, as intended.

PAM-16192

Health status information is not up to date on the API.

After upgrading to SPS 6.13.0, the {{/api/health-status}} information was never updated. This has been fixed.

PAM-16197

The following is a list of issues addressed in release 6.13.0.

Table 2: General resolved issues in release 6.13.0
Resolved Issue Issue ID

Encrypted sudo-iolog sessions can be replayed without decryption keys.

Though users had no decryption keys for encrypted sudo-iolog sessions, screenshots and videos were available for inspection. This issue has been fixed. Encrypted sudo-iolog sessions now cannot be replayed without decryption keys.

PAM-15862

Despite there is no video to play, the 'Play video from this event' button does not disappear.

If there is no video, the 'Play video from this event' button is not displayed.

PAM-15657

Unable to configure some Trust Stores for AD/LDAP

It was not possible to configure Trust Stores with "leaf" or "full" certificate revocation checking for Active Directory or LDAP by using the web user interface, although it was possible over the REST API. This was fixed.

PAM-15645

The verbosity level of the traffic at the HTTP, ICA, MSSQL, RDP, SSH, TELNET and VNC Control > Global Options page could not be changed on a search-master SPS cluster node.

The search-master SPS cluster node does not handle proxy traffic, therefore the change of the global verbosity level failed because of the unavailable proxy service. With this fix SPS does not trigger log level change for the proxy service on a search-master SPS cluster node, so the configuration change can be applied.

PAM-15585

UI cannot handle identical names for trust stores.

This issue has been fixed. When the user enters a name for the trust store which is not unique, the "Name must be unique" error message is shown next to the name field on the side sheet, and the Save button is disabled.

PAM-15372

Improperly formatted X.509 certificates.

When SPS displayed a certificate on the REST API or in an error message, it used a custom formatting for the subject or issuer. This could include unnecessary fields with "None" values and some fields could be missing, which could make the task of identifying the certificate cumbersome.

SPS now uses a more standard formatting when displaying certificate subjects or issuers.

PAM-14005

Table 3: Resolved Common Vulnerabilities and Exposures (CVE) in release 6.13.0
Resolved Issue Issue ID
mysql-8.0: CVE-2022-21245
CVE-2022-21249
CVE-2022-21253
CVE-2022-21254
CVE-2022-21256
CVE-2022-21264
CVE-2022-21265
CVE-2022-21270
CVE-2022-21301
CVE-2022-21302
CVE-2022-21303
CVE-2022-21304
CVE-2022-21339
CVE-2022-21342
CVE-2022-21344
CVE-2022-21348
CVE-2022-21351
CVE-2022-21358
CVE-2022-21362
CVE-2022-21367
CVE-2022-21368
CVE-2022-21370
CVE-2022-21372
CVE-2022-21374
CVE-2022-21378
CVE-2022-21379
linux: CVE-2020-26541
CVE-2021-4002
CVE-2022-0185
lxml: CVE-2021-43818
pillow: CVE-2021-23437
CVE-2021-34552
CVE-2022-22815
CVE-2022-22816
CVE-2022-22817
qtbase-opensource-src: CVE-2021-38593
samba:

 

CVE-2021-43566
CVE-2021-44142

CVE-2022-0336

strongswan:

CVE-2021-45079

systemd:

CVE-2021-3997

vim:

 

 

 

CVE-2021-3974

CVE-2021-3984

CVE-2021-4019

CVE-2021-4069

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 4: General known issues
Known Issue

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

System requirements

Before installing SPSOD Hosted, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating