Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.1.1 - Release Notes

Deprecated features

Apache lucene database

In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the Elasticsearch database only. The Apache lucene database support is phased out, but the query language remained lucene-like.

After the switch to the Elasticsearch database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.

Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.

For more information, see "Searching in the session database with the basic search method" in the REST API Reference Guide and "Session statistics" in the REST API Reference Guide.

Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.

For more information, see "Creating search-based report subchapters from search results" in the Administration Guide.

Content search option deprecation

On the Search page, the Content search option has been deprecated.

Advanced statistics

Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.

During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.

Alternatively, you can use search-based subchapters to query connection metadata. For more information, see "Creating search-based report subchapters from search results" in the Administration Guide.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.1.1
Resolved Issue Issue ID

When opening the "Users & Access Control > Appliance Access" page, the "Search/Search (classic)" ACL may be listed as granted permission if the "Search in all connections" ACL is granted.

The "Search (classic)" menu has been deprecated, and therefore, it is no longer present on the UI. However, if the "Search in all connection" permission was granted, the related ACL object was still visible on the "Application Access" page, due to incomplete deprecation. Also, the "/opt/scb/etc/menu.yml" configuration file contained a reference to the "Search (classic)" menu, which was also removed.

Since these had no functions, they were removed completely. As a result, the "Search (classic)" object will no longer be listed among the ACL objects.

This change does not result in any change in the permissions or require the upgrade of the XML configuration file.

340468

We have removed the "Mousewheel scrolling of search results" option from User menu > Preferences.

The "Mousewheel scrolling of search results" option is redundant, as the new search function no longer uses this feature.

340477

RDP login could terminate all connections.

In some rare cases, a domain user who successfully logged in to a domain-joined RDP server through SPS could cause all RDP connections to terminate. In this case, a core file was also generated. This issue mainly affected transparent connections, or connections where SPS was acting as an RD Gateway, and where the server was behaving in a specific incorrect way during SPNEGO-based NLA authentication.

This has been fixed, the non-standard server behavior is now handled gracefully, and the affected connections can now pass.

388421

Using the default timeout for NFS mounts.

Previously, the NFS timeout was set to 15 seconds, instead of the default value of 60 seconds.

This has been fixed and now the default value is used.

389010

There was an upgrade scenario which could result in data loss if the Elasticsearch re-indexing did not finish before the upgrade. This issue has been resolved.

392760

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.1.1
Resolved Issue Issue ID
bind9: CVE-2022-2795

CVE-2022-38177

CVE-2022-38178

cloud-init: CVE-2022-2084
curl: CVE-2022-32221
CVE-2022-35252
dbus: CVE-2022-42010

CVE-2022-42011

CVE-2022-42012

gmp: CVE-2021-43618
gnutls28: CVE-2021-4209
CVE-2022-2509
heimdal: CVE-2021-3671
CVE-2022-3116
isc-dhcp: CVE-2022-2928
CVE-2022-2929
ldb: CVE-2021-3670
CVE-2022-32745
CVE-2022-32746
libjpeg-turbo: CVE-2020-17541
CVE-2020-35538
CVE-2021-46822
libksba: CVE-2022-3515
libtirpc: CVE-2021-46828

libxml2:

CVE-2016-3709

libxslt:

CVE-2021-30560

linux: CVE-2021-33061
CVE-2021-33655
CVE-2021-33656
CVE-2022-1652
CVE-2022-1679
CVE-2022-1734
CVE-2022-2586
CVE-2022-2588
CVE-2022-2602
CVE-2022-28893
CVE-2022-3176
CVE-2022-34918
CVE-2022-36946
CVE-2022-41674
CVE-2022-42720
CVE-2022-42721
mysql-8.0: CVE-2022-21509

CVE-2022-21515

CVE-2022-21517

CVE-2022-21522

CVE-2022-21525

CVE-2022-21526

CVE-2022-21527

CVE-2022-21528

CVE-2022-21529

CVE-2022-21530

CVE-2022-21531

CVE-2022-21534

CVE-2022-21537

CVE-2022-21538

CVE-2022-21539

CVE-2022-21547

CVE-2022-21553

CVE-2022-21569

net-snmp: CVE-2022-24805
CVE-2022-24806
CVE-2022-24807
CVE-2022-24808
CVE-2022-24809
CVE-2022-24810
open-vm-tools: CVE-2022-31676
pcre2: CVE-2022-1586

CVE-2022-1587

perl: CVE-2020-16156
pillow: CVE-2022-22817
postgresql-12: CVE-2022-2625
rsync: CVE-2022-37434
samba: CVE-2021-3670
CVE-2022-2031
CVE-2022-32742
CVE-2022-32744
CVE-2022-32745

CVE-2022-32746

sqlite3: CVE-2020-35525

CVE-2020-35527

CVE-2021-20223

strongswan: CVE-2022-40617

tiff:

CVE-2022-0907

CVE-2022-0908

CVE-2022-0909

CVE-2022-0924

CVE-2022-1354

CVE-2022-1355

CVE-2022-2056

CVE-2022-2057

CVE-2022-2058

CVE-2022-22844

vim:

CVE-2022-0943

CVE-2022-1154

CVE-2022-1616

CVE-2022-1619

CVE-2022-1620

CVE-2022-1621

wayland:

CVE-2021-3782

zlib:

CVE-2022-37434

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

Caution:

After upgrading to version 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.0 LTS.

Upgrade as follows:

  1. Perform the upgrade to 7.0 LTS with your current license.

  2. Update your SPS license to 7.0 LTS.

For a new SPS license for 7.0 LTS, contact our Licensing Team.

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

Table 4: General known issues
Known Issue Issue ID

External indexer disconnected due to certificates expiry.

You are only affected by this issue if you have enabled external indexing while running SPS version 6.0.4 or 6.4.0 or later where the external indexer certificates were created with a limit of 800 days.

To resolve this issue, see External indexer disconnected due to certificates expiry (4368875) (oneidentity.com).

PAM-16883

System requirements

Before installing SPS 7.1.1, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating