Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.0.6 - Release Notes

Deprecated features

The following is a list of features that are no longer supported starting with SPS 6.0.

  • X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.

  • DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.

  • The log ingestion feature of SPS has been removed from the product.

Deprecated features between SPS 5.1 and SPS 5.11

The following is a list of features that are no longer supported starting with SPS 6.0.

Caution:

Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SPS.

  2. Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.

  3. Open a ticket at https://support.oneidentity.com/create-service-request/.

  4. Upload the file you downloaded from SPS in Step 1.

  5. We will check the type of your hardware and notify you.

  • Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.

  • SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:

    • You cannot configure SPS if your browser does not support at least TLSv1.

    • If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.

  • Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.

  • Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.

Shorter than 1024-bit SSH keys

Following the upgrade, support for less than 1024-bit SSH keys is lost.

You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.

Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS.

Minimum version of encryption protocol for the web UI

The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.

Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.

This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.

Deprecation of RPC API

The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.

Screen content search in sessions indexed by the old Audit Player

It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

Resolved issues

The following is a list of issues addressed in this release.

Table 2: General resolved issues in release 6.0.6
Resolved Issue Issue ID

Window title detection fix for Windows 2012 R2.

Window title detection did not find window titles when the DPI was slightly higher than the default one on Windows 2012.

PAM-12328

Linux desktop resizing issues with Citrix 1912 LTSR

When using a Citrix Linux VDA with Citrix 1912 LTSR, the desktop could not be resized properly. This has been fixed.

PAM-12255

Missing validation for RDP connections when NLA is enabled but TLS is not.

When SPS was configured to use Network Level Authentication in an RDP connection, but Legacy RDP Security Layer was selected for that connection, then no connection could be established. A traceback was written to the system log.

This has been fixed, SPS now validates that a connection for which NLA is enabled also has TLS Transport Security selected.

PAM-12186

Having a mismatching host key stored on the appliance could make the host key configured in backup policies ignored.

If the root user visited the backup host via SSH, it was prompted whether to have the offered host key stored or not. If the administrator selected to have it, that key was used later when performing backup (configured with Rsync over SSH), regardless the one configured on the WebUI.

The fix ensures that the user provided host key will be compared to the one presented by the backup server.

PAM-12173

SPS installation on Azure vm made the firmware tainted

The service walinuxagent, which is required to be run on azure instances, creates files at runtime and this made the firmware tainted. These files have been added to the tainted whitelist.

PAM-12090

Fixed timestamp conversion in report generation

When the timezone of SPS was other than UTC, timestamps for recorded sessions got converted to local time twice accidentally.

This has been fixed and the user should see the timestamps in connection with recorded sessions in their local time in case local timezone is applied on the box.

PAM-12087

Certificate chain upload might fail with cross-signed intermediates

When uploading a certificate chain, if any of the intermediate CA-s in the chain was also a publicly trusted root, the upload failed with an error message. This has been corrected.

PAM-12059

RDP device redirection only works if the Sound channel is enabled

Because of restrictions in Windows RDP servers device redirection only works if the "Sound" channel is enabled. A warning has been added that warns the user if device redirection is configured in the channel policies without having the "Sound" channel enabled.

PAM-12051

Core files are produced when stopping or restarting proxy services

The proxy service component could crash and write a core dump during shutdown when timestamping was enabled but the timestamping server was unreachable.

PAM-12016

Empty MenuInfo block appears instead of login screen

Invalid browser cookies could be set that prevented the rendering of the normal SPS login page.This has been corrected.

PAM-11985

Save hashed PSK value in support bundle

In order to diagnose clustering issues, it is important to verify that the cluster members share the same IPSec pre-shared keys, but this was impossible, because the values were masked out. Following this change, the generated PSK tokens of the configuration are replaced by their SHA256 hash value. This means that the comparison can be performed while the actual values still remain secret.

PAM-11976

Traceroute: switch to ICMP

Traceroute utility traditionally defaults to UDP probe packets, but such packets are likely to be filtered out by firewalls, even between SPS cluster nodes. It is expected that ICMP probes are more tolerated on networks, thus Troubleshooting > Traceroute has been changed to use ICMP instead of UDP.

PAM-11755

Starting up and shutting down logs are transferred from boot journal to core firmware logs

There were many cases when logs have not been transferred from boot journal store to core firmware. In that case, the network-related issues were not transferred. This has been corrected. Starting up and shutting down logs are transferred from boot journal to core firmware logs. This makes the investigation easier, because all the logs are in one place and these logs are stored for longer time.

PAM-11738

Fixed protocol binding in REST-based subchapter configurations

In REST-based reporting subchapter configurations under the binding options, protocol was either missing or it's value was written in lower case.

However, protocol values in ElasticSearch are stored in upper case form and when reporting queried our REST with protocol filter, due to the casing mismatch, no data were retrieved or not exactly the right data was being retrieved in some situations. This has been corrected.

PAM-11708

When an audit trail was missing from the SPS, all further archiving processes failed

When an audit trail was missing from SPS, all further archiving processes failed. This has been corrected and the archiving will continue to the next audit trail file, and SPS records the error in the local database.

PAM-11700

The firmware manipulation via console (core-shell) with firmwarectl synchronizes the firmware to the HA pair node.

The firmwarectl console tool, which can be called on the core-shell, did not synchronize the firmware to the other HA node which caused firmware version mismatch in case of a failover.

From now firmwarectl synchronizes the firmware to the other HA node just like the Basic Settings > High Availability page on the web-ui does.

PAM-11642

Configuration of remote timestamping fails if policy is not set

When configuring remote timestamping on the protocol Global Settings page and the policy OID was not set, committing the change failed with a generic error message. (When using the REST API, the error type was InvalidPropertyError.) This has been corrected.

PAM-11401

Rename Balabit in email attachments

In email attachments, Balabit Shell Control Box, which is the legacy product name, was still used. This has now been changed to One Identity Safeguard for Privileged Sessions.

PAM-10911

Unable to change network settings

In rare cases the appliance could boot with incomplete network configuration. This caused a configuration commit failure, on basic/networking page.

This issue has been fixed.

PAM-10498

Table 3: General resolved issues in release 6.0.5
Resolved Issue Issue ID

Brackets were removed from around IPv6 addresses by the HTTP proxy in headers

The HTTP proxy removed the brackets from around IPv6 addresses in relayed HTTP headers, eg. "Host: [2001:db8::]" became "Host: 2001:db8::1", which caused problems on the server side. This has been fixed and such headers are now relayed properly.

PAM-11758

Error messages appear in HTTP proxy logs when Authorization headers are not valid base64 encoded data

Our HTTP proxy tried to decode the Authorization header and if it could not, it logged an error because there was an error with the encoding. These log messages could be misleading as such headers happen frequently, so they were disabled.

PAM-11713

Timestamps in upgrade logs are misleading

During the upgrade SPS produces log files which are separated from the standard syslog. Into these log files the timestamps of the log lines were added manually. These timestamps were not accurate.

PAM-11619

When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot.

After this fix this process will run only once.

PAM-11618

Displaying the login page triggers General error (xcbError) SNMP or email alert

When the login page was loaded in a browser, then a background request attempted to access a resource which mistakenly required an already authenticated user. If the General error (xcbError) alert was enabled on the Basic Settings / Alerting & Monitoring page, then this condition triggered sending SNMP or email alerts. This has been fixed.

PAM-11597

HTTP request URIs were sometimes forwarded incorrectly to the target server, with escaped URI parts not kept properly escaped.

The HTTP proxy in SPS improperly transformed URIs with escaped '/' characters. This has been fixed, and the requested URI is now passed intact to the target server.

PAM-11534

In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

PAM-11523

High memory consumption related to the indexer-jobgenerator service with sessions containing lots of channels

The jobgenerator service now handles channel related messages which are not required to store in memory anymore.

PAM-11513

Assigning "All" privileges to a user group did not grant access to the Active Connections page

Assigning "All" (read and write/perform) privileges to a user group at the Users & Access Control / Appliance Access (formerly: AAA / Access Control) page did not grant access to the Active Connections page for the selected group. This has been fixed.

PAM-11392

Multiple IPv4 addresses on the network interface which is assigned to clustering can break cluster node communication if other than the first one is used for clustering

Assigning multiple IPv4 addresses to the network interface which is used for clustering, and using other than the first one for secure communication between the cluster nodes results in a non-working configuration. Configuration validation has been extended with checks which prevent saving such configuration.

PAM-11047

HA IP negotiation fails when more than two SPS hosts are accessible on the HA interface

When more than two SPS instances are accessible through the HA interface, the third host cannot obtain a valid HA IP address as the other two addresses are already taken. As this is not a supported way of working, a warning message is now shown to the user on the console.

PAM-10916

Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware)

During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration.

This has now been fixed and these events are no longer generated.

PAM-10771

Unnecessary expiration warnings for indexer decryption key certificates

The decryption keys and the certificates that belong to them, used by the internal indexer to process encrypted audit trails, may still be needed in the configuration in order to access older audit data, long after the certificate itself is expired. Due to this, the expiration of these certificates will no longer trigger configuration validation warnings.

PAM-7653

Commit Log Requirement settings did not take effect immediately in REST API configuration transactions

Changes in Commit Log Requirement settings did not take effect immediately in REST API configuration transactions. This has been fixed. Also, the response for {{GET /api/transaction}} requests now indicates if a commit message is required for saving configuration changes.

PAM-4957

Table 4: General resolved issues in release 6.0.4
Resolved Issue Issue ID

In case of high amount of information paginated data, storage solution was implemented but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

PAM-11523

View log files > Tail window remains open even after the administrator has logged out.

The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session.

PAM-11510

Missing timestamps in audit trails and "Error connecting TSA" messages in the logs.

A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed.

PAM-11391

Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster.

Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster.

PAM-11390

Dynamic virtual channels in RDP proxy are not handled properly.

Some of the Dynamic virtual channels in RDP proxy were allowed even if they were not enabled in a Channel Policy. Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic virtual channels channel policy.

PAM-11319

HA takeover issues after multi-step upgrades

If a system was upgraded in multiple steps (for example, from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes. This issue has been fixed and these type of upgrades now work well.

PAM-11292

From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS.

The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time.

During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it.

The newly generated cert has the following additional properties:

  • validity is 800 days long
  • extendedKeyUsage has been specified

which makes it compliant with the recent Chrome+macOS combination.

PAM-11122

On HA takeover, the IP address of SPS was not updated in other computer's ARP table in certain conditions.

SPS did not wait for the interface to be in the UP state, therefore sending the gratuitous ARP message was not successful when the interface didn't come up quickly. This has been fixed by waiting for the interface first.

PAM-10860

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

A systemd service (proc-sys-fs-binfmt_misc.mount) failed to start at boot.

The proc-sys-fs-binfmt_misc.mount unit failed to start at boot. This generated alerts for the customer which resulted in SNMP trap or email, depending on the configuration. The service now starts at boot.

PAM-9935

Table 5: General resolved issues in release 6.0.3
Resolved Issue Issue ID

Overriding the global verbosity level in ICA connection policies had no effect

In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level.

PAM-11251

Password reuse always allowed when changing the password over REST

It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too.

PAM-11213

Client unexpectedly closes RemoteApp sessions

In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client.

PAM-11187

RDP sessions shown as active even after client disconnects

In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected.

PAM-11168

The SPS initiated workflow fails in case of SSH protocol.

Starting with Safeguard for Privileged Sessions version 6.2 it became possible to join Safeguard for Privileged Sessions and Safeguard for Privileged Passwords and make use of the full password approval workflow in SPP for sessions initiated through SPS. This feature was backported to the 6.0.2 maintenance release, but due to a problem with the backport, it did not work properly for SSH sessions. The problem is now fixed and SSH sessions can also be used in this scenario.

PAM-11139

Improve the debug logging of ldapservice

The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs.

PAM-11135

Sessions are terminated when using the credit-card detection and alerting features

In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected.

PAM-11134

Upgrading to SPS 6.0.2 fails if SPS is joined into SPP

Because of an error in the upgrade of Safeguard plugins, upgrade to SPS 6.0.2 failed if SPS was joined to SPP.

This has been corrected, in SPS 6.0.3 the upgrade works as expected.

PAM-11132

Timeout in RDGW sessions causes core files on SPS

If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly.

PAM-11123

Traceback appears in the logs if the LDAP server is down

A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled.

PAM-11028

Resizing the screen in ICA sessions to span multiple monitors did not work

If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session.

PAM-10988

'Analytics details are not available' warning appears on the UI

In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session.

PAM-10886

Traceback in the logs after rejecting a four-eyes authorization request

A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly.

PAM-10881

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed.

PAM-10413

IPv6 routing table is missing from the support bundle

The IPv6 routing table was missing from the support bundle. This has been corrected.

PAM-10354

Configuration changes not taking effect

In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when commiting networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly.

PAM-10336

Failed screenshots in content subchapter reports

Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs:

'Cannot retrieve image for screencontent'

This has been corrected, screenshots are now properly generated for the reports.

PAM-10190

Remote Desktop Gateway authentication fails for Windows 2012 R2 clients

Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected.

PAM-9967

False data in achiving notice

After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected.

NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead.

PAM-9615

If completing the Welcome Wizard using the REST API fails, the appliance becomes unreachable

If completing the Welcome Wizard using the REST API failed, an internal error made the product unreachable: the IP address became 192.168.1.1 and the console access of the root user was disabled. From now on, the console access of the root user remains active, so it can be used to fix such situations.

PAM-7760

Table 6: General resolved issues in release 6.0.2
Resolved Issue Issue ID

In some cases persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS.

The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections.

PAM-10821

Error in handling compressed ICA traffic causes the server to terminate the session

In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs:

'Compression PD: Unable to expand slab'

This has been corrected, the traffic is now handled properly.

PAM-10781

Ignore the actual result of the whoami request when checking the availability of an LDAP server

To check the availability of an LDAP server, SPS performs a "who am I" query against that server. If that query was disabled on the server, SPS treated the response as a sign of the server being down, even if it was handling other requests properly. This behavior has been changed and SPS now only checks if the server responds at all.

PAM-10729

Low idle timeouts on LDAP servers not handled correctly

SPS did not correctly handle if an LDAP server closed idle sessions after less than 600 seconds. After this fix, idle timeout settings above 120s work correctly.

PAM-10674

Connection data backup not available in the console menu

It is possible to manually initiate a backup process from the menu accessible via SSH or the appliance console. Due to a bug, only the system backup option was available there and the option to backup data associated with connection policies (such as audit trails) was not. This is now fixed and all backup options are available again.

PAM-10576

Duplicate header appears on the ICA Control > Channel Policies page

While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected.

PAM-10575

Login page can redirect to arbitrary external sites

To streamline the login process, SPS was able to redirect the user to the site they originally wanted to access after a successful login. However, this feature also redirected the user to any URL if the login page was accessed through a properly crafted link. This made phishing attacks against the administrators of SPS easier, so the login page now only redirects to URLs on SPS itself.

PAM-10560

On an extremely overloaded machine, the OCR scanning (indexing) process could crash

When the machine was so overloaded that the connection between the process that controls the OCR scanning and indexing operation (indexerworker) and the process doing the computation (indexerservice) was lost, the worker process tried to abort the processing but crashed. The index job might be finished successfully later. The problem was fixed and the worker process now handles this outage correctly.

PAM-10547

Disk fill-up prevention should always deny incoming connections when limit is reached

Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached.

PAM-10510

Session verdict is 'auth-fail' after a failed gateway authentication attempt even if it succeeds after a retry

If the user enters a wrong password or the gateway authentication attempt failed for another reason, the "verdict" for that session on the search interface remained "auth-failed", even if a second attempt was offered for the user and that succeeded. This logic is now fixed and the final authentication decision is used to decide the verdict of the session.

PAM-10509

Console menu does not timeout

As a side-effect of an unrelated change, the console menu did not log off idle users after a timeout. This is now fixed and idle sessions are properly terminated.

PAM-10441

Transferring files over 4GB not possible over RDP disk redirection

Files over 4GB transfers via RDP disk redirection over SPS got corrupted. This is now fixed and both download and upload of larger files is possible.

PAM-10418

indexer-service cannot be reloaded multiple times within a short time

Reloading indexer-service occasionally returned with a false error message, even though it was actually reloaded. However, if you attempted to reload it again within a short time (within in ~3 seconds), the reload failed.

PAM-10335

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

RDP connection problems with certain client applications

If the client did not send a cookie when establishing the initial connection to SPS, SPS sent an invalid cookie to the target server, causing the server to terminate the connection. This has been corrected.

PAM-10284

The /api/active-sessions endpoint responds with Internal Server Error (500)

The /api/active-sessions endpoint could respond only with Internal Server Error (500) in case of an error during DELETE. From now on the /api/active-sessions endpoint can respond with Not Found Error (404) if the given session id is not found in the list of active sessions.

PAM-10281

Misspelled OK buttons on the web interface

Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected.

PAM-10155

Prevent joining SPS nodes running different firmware versions to a cluster

Configuration (and cluster state) synchronization may not work if the Central Management and other cluster nodes are running different versions of SPS. In order to avoid possible misconfiguration, product version compatibility will now be validated during joining nodes to an SPS cluster.

PAM-10020

Improved error detection of Elasticsearch database for audit information

If the Elasticsearch instance that acts as a backend for the audit database failed to start for some reason, it kept retrying (and failing) and never notified the user about the problem. The problem has been fixed and such problems are properly escalated.

PAM-10018

Inaccurate warning when upgrading external indexers

When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected.

PAM-9707

Content search field does not handle the '<' character

Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly.

PAM-9264

OpenSSL encryption failure when changing the password of a permanent keystore

In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message:

'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62'

This has been corrected.

PAM-8345

Stopping more data-producing processes when disk fillup prevention is triggered

The disk fillup prevention feature in SPS proactively stops traffic passing through if this usage reaches a predefined threshold to avoid more severe errors caused by the disk being filled up completely. Besides ongoing traffic there are several services that also produce data, which are now also stopped, providing further protection.

PAM-8012

Table 7: General resolved issues in release 6.0.1
Resolved Issue Issue ID

bind9:

  • CVE-2018-5743
  • CVE-2019-6471

bzip2:

  • CVE-2019-12900

curl:

  • CVE-2019-5346

db5.3:

  • CVE-2019-8457

dbus:

  • CVE-2019-12749

elfutils:

  • CVE-2018-16062
  • CVE-2018-16402
  • CVE-2018-16403
  • CVE-2018-18310
  • CVE-2018-18520
  • CVE-2018-18521
  • CVE-2019-7149
  • CVE-2019-7150
  • CVE-2019-7665

expat:

  • CVE-2018-20843

ffmpeg:

  • CVE-2018-15822
  • CVE-2019-9718
  • CVE-2019-9721

glib2.0:

  • CVE-2019-12450

gnutls28:

  • CVE-2018-1084
  • CVE-2018-10844
  • CVE-2018-10845
  • CVE-2018-10846
  • CVE-2019-3829

isc-dhcp:

  • CVE-2019-6470

jinja2:

  • CVE-2019-10906

libpng1.6:

  • CVE-2019-7317

libseccomp:

  • CVE-2019-9893

linux:

  • CVE-2017-5715
  • CVE-2017-5753
  • CVE-2017-5754
  • CVE-2018-12126
  • CVE-2018-12127
  • CVE-2018-12130
  • CVE-2018-16884
  • CVE-2018-3620
  • CVE-2018-3639
  • CVE-2018-3646
  • CVE-2019-11478
  • CVE-2019-11479
  • CVE-2019-3874
  • CVE-2019-3882
  • CVE-2019-9500
  • CVE-2019-9503

mysql-5.7:

  • CVE-2019-2566
  • CVE-2019-2581
  • CVE-2019-2592
  • CVE-2019-2614
  • CVE-2019-2627
  • CVE-2019-2628
  • CVE-2019-2632
  • CVE-2019-2683

openjdk-8:

  • CVE-2019-2422
  • CVE-2019-2426
  • CVE-2019-2602
  • CVE-2019-2684
  • CVE-2019-2698

php7.2:

  • CVE-2019-11034
  • CVE-2019-11035
  • CVE-2019-11036
  • CVE-2019-11039
  • CVE-2019-11040
  • CVE-2019-9637
  • CVE-2019-9638
  • CVE-2019-9639
  • CVE-2019-9640
  • CVE-2019-9641
  • CVE-2019-9675

postgresql-10:

  • CVE-2019-10130
  • CVE-2019-10164

python-urllib3:

  • CVE-2018-20060
  • CVE-2019-11236
  • CVE-2019-11324

python2.7:

  • CVE-2018-1000802
  • CVE-2018-14647

qtbase-opensource-src:

  • CVE-2018-15518
  • CVE-2018-19870
  • CVE-2018-19873

samba:

  • CVE-2018-16860

sqlite3:

  • CVE-2018-20346
  • CVE-2018-20505
  • CVE-2018-20506
  • CVE-2019-8457
  • CVE-2019-9936
  • CVE-2019-9937

vim:

  • CVE-2019-12735

Inconsistent merge behaviour in configuration sync

There were some cases, where a validation error occured during configuration synchronization. This has been fixed, and now System Backup is synchronized under Management, too.

PAM-9655

Changing cluster roles may make the product tainted

When changing certain cluster roles, the firmware became tainted. This affected the upgrade process when the definition of a role changed between two releases, resulting in tainted firmware. Now this has been fixed.

PAM-9375

Report generation can produce duplicate reports

If generating a report took more than 30 minutes, it was restarted, causing it to run twice and generate a duplicate report. This has been corrected, now report generation jobs cannot overlap to prevent processing them twice.

PAM-5477

The default number of indexer workers was 16 on a newly installed SPS.

The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers.

PAM-3739

Disk fill-up prevention should always deny incoming connections when limit is reached

Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached.

PAM-10039
Table 8: General resolved issues in release 6.0
Resolved Issue Issue ID

Security package updates

bind9:

  • CVE-2018-5743

busybox:

  • CVE-2011-5325
  • CVE-2018-1000517
  • CVE-2018-20679
  • CVE-2019-5747

curl:

  • CVE-2019-5346

ffmpeg:

  • CVE-2018-15822
  • CVE-2019-9718
  • CVE-2019-9721

file:

  • CVE-2019-8905
  • CVE-2019-8906
  • CVE-2019-8907

isc-dhcp:

  • CVE-2019-6470

ldb:

  • CVE-2019-3824

libgd2:

  • CVE-2019-6977
  • CVE-2019-6978

libpng1.6:

  • CVE-2019-7317

libxslt:

  • CVE-2019-11068

linux:

  • CVE-2017-5715
  • CVE-2017-5753
  • CVE-2017-5754
  • CVE-2018-12126
  • CVE-2018-12127
  • CVE-2018-12130
  • CVE-2018-14678
  • CVE-2018-16884
  • CVE-2018-18021
  • CVE-2018-18397
  • CVE-2018-19824
  • CVE-2018-19854
  • CVE-2018-3620
  • CVE-2018-3639
  • CVE-2018-3646
  • CVE-2019-3459
  • CVE-2019-3460
  • CVE-2019-3874
  • CVE-2019-3882
  • CVE-2019-6133
  • CVE-2019-6974
  • CVE-2019-7221
  • CVE-2019-7222
  • CVE-2019-7308
  • CVE-2019-8912
  • CVE-2019-8980
  • CVE-2019-9213
  • CVE-2019-9500
  • CVE-2019-9503

lua5.3:

  • CVE-2019-6706

mysql-5.7:

  • CVE-2019-2566
  • CVE-2019-2581
  • CVE-2019-2592
  • CVE-2019-2614
  • CVE-2019-2627
  • CVE-2019-2628
  • CVE-2019-2632
  • CVE-2019-2683

nss:

  • CVE-2018-18508

openjdk-8:

  • CVE-2019-2422
  • CVE-2019-2426
  • CVE-2019-2602
  • CVE-2019-2684
  • CVE-2019-2698

openssh:

  • CVE-2019-6109
  • CVE-2019-6111

openssl1.0:

  • CVE-2019-1559

php7.2:

  • CVE-2019-11034
  • CVE-2019-11035
  • CVE-2019-9637
  • CVE-2019-9638
  • CVE-2019-9639
  • CVE-2019-9640
  • CVE-2019-9641
  • CVE-2019-9675

python-urllib3:

  • CVE-2018-20060
  • CVE-2019-11236
  • CVE-2019-11324

samba:

  • CVE-2018-16860
  • CVE-2019-3880

systemd:

  • CVE-2019-3842

tiff:

  • CVE-2018-10779
  • CVE-2018-12900
  • CVE-2018-17000
  • CVE-2018-19210
  • CVE-2019-6128
  • CVE-2019-7663

walinuxagent:

  • CVE-2019-0804

wget:

  • CVE-2018-20483
  • CVE-2019-5953

Search interface not available after cluster upgrade on certain versions

When upgrading the cluster between certain versions, the search functionality was not available after the nodes rebooted. This has been fixed and the search backend starts up properly after a cluster upgrade.

PAM-9768

Core file download button not visible for read-only users

Read-only access rights to the Basic Settings/Troubleshooting page allows the user to download all kinds of debug information, including core files. The "Download" button was not visible for users with read-only rights, even though they could download these files via the API. The button is now shown correctly.

PAM-9693

Limited logging for Citrix ICA connections

Due to an internal error, system logging about Citrix ICA protocols did not work properly. Even though audit recording was unaffected, this made troubleshooting difficult. The problem was fixed and logging now works similarly to other protocols.

PAM-9671

Rare crash when using Remote Desktop Gateway connections

Due to an unhandled race condition, the RDP proxy could crash in very rare cases when a large number of Remote Desktop Gateway connections were open in parallel. The problem was fixed.

PAM-9596

Changes to SIEM forwarder setting not applied

Changes to the configuration of the SIEM forwarder except the initial setup were not applied until rebooting the machine or restarting the service. This is now fixed and all changes take effect immediately.

PAM-9499

Stale RDP connections on the Active Connections page

Since version 5.6, stale RDP sessions can remain unclosed and displayed on the "Active Connections" page. This is now fixed and all RDP sessions are now closed properly.

PAM-9473

Wrong IP address in autogenerated HTTPS certificates

Certificates generated for proxy mode HTTPS connections are using the IP address of SPS (the proxy) instead of the hostname/address of the target server.

PAM-9337

AAA configuration (including root password) is not synchronized to the managed hosts in an SPS cluster

The AAA configuration was blacklisted during the configuration synchronization between the central management and the managed host. This limitation is now solved, and AAA configuration is synchronized to the managed hosts.

The AAA configuration contains the local users (including admin), therefore we added the root password to the synchronized configuration data, too.

PAM-9295

Double check of group membership during public key-based gateway authentication in SSH

When using public-key-based gateway authentication in SSH, the group filtering was performed twice, which could have a significant performance penalty. This is now fixed and this check is done only once.

PAM-9268

Indexing RDP sessions may fail with "Size out of range" errror

RDP sessions with multiple channels sometimes resulted in indexing errors ("Size out of range"). Such audit trails could not be opened in the Desktop Player. This has been fixed.

PAM-9267

Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 cannot be replayed

Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 could not be properly replayed, and contained garbled screens. The error has been corrected, SPS 6.0 now properly record such sessions, so they can be properly replayed.

PAM-9232

Report a more descriptive error message when firmware upload fails

When a firmware upload fails because of insufficient disk space, invalid file uploaded, or a similar error, now a more descriptive message is displayed instead of a generic error message.

PAM-9231

Indexing certain archived sessions fails

Indexing jobs sometimes failed with the "No such file or directory" error message. This occurred when the audit trail of the session has already been archived and the remote archive was not mounted. Now the indexer automatically remounts such archives to complete the indexing.

PAM-9230

Deleting keytabs failed when "Verbose system logs" (debug logging) was turned on

When "Verbose system logs" (debug logging) was turned on, then a server side error prevented deleting keytabs. This has been fixed.

PAM-9224

None

The owner of the configuration lock was not reset within a browser session. As a result, if two different users logged in after each other in the same web browser, and the second user visited the Search > Search or Basic Settings > Cluster management pages, then the System monitor showed that the configuration is locked by

REST@system

, and the user could not edit the configuration.

This problem has been fixed.

PAM-9150

SSH sessions disconnect if SPS cannot find the account in the Credential store

If a credential store was defined for a Connection Policy and SPS could not find an entry for the given target account in the store, it disconnected immediately instead of prompting the client to authenticate. This has been fixed, and now the fallback is triggered properly.

PAM-9128

On an appliance with a Search minion role, generating daily/weekly/monthly reports results in several error e-mails

On an appliance with the Search minion role, when generating reports every Day / Week / Month, selecting "Send reports in e-mail", and attempting to inculde a Search subchapter in the report resulted in receiving several error e-mails from all Search minions that were configured in that cluster environment. The error message in the e-mails was:

"Unknown error: Error while fetching data via REST client, error: Error response got from REST client, status code: 500, reason: The search backend is unaccessible."

This has been corrected, no error messages will be sent.

If you want to include Search subchapters in your reports, generate them on the appliance with the Search master role.

PAM-9001

Searching for audit trails that are not indexed is not working

In some cases if the connection database was big, searching for audit trails that are not indexed on the Search > Search (classic) page did not work properly. (Selecting the 'Not indexed' option in the "Channel's Indexing Status" column resulted in a search query that was never completed.) This has been fixed.

This has been corrected.

PAM-9000

Failed SSH sessions can cause the System Monitor to show negative value as the number of active sessions

When certain incompatible configuration settings are used (for example, GSSAPI authentication with autologin), a failed SSH connection attempt could decrease the active session count, eventually pushing it below zero. This is now fixed and such failed connections don't change the number of active sessions.

PAM-8959

Unnecessary health check warnings in the logs of the Search master node

In central search mode, the proxies are disabled on the Search master node. However, the built-in health check processes still checked the status of the proxies and logged a warning message. This warning is now disabled for search master nodes.

PAM-8857

Generating certificates fails for long host and domain names

SPS generates several certificates internally, and it uses the configured hostname and domain name for the appliance in the Common Name (CN) of these certificates. If any of these were long, the CN could go beyond the 64-character limit of the underlying OpenSSL libraries and the certificate generation failed. The appliance now truncates the strings to make sure the CN stays below the 64-character limit.

PAM-8693

Multiple processing issues fixed in terminal based protocols with CJK characters

The wide characters of CJK alphabets caused issues with command detection, video rendering, screenshot export in HTML, and the follow mode of the Safeguard Desktop Player. These are now fixed.

PAM-8611

Session database upgrade fails for some ICA sessions

Some older versions of SPS saved the protocol information of ICA sessions differently, using the name "CGP" instead of "ICA". The session database upgrade process was not prepared to handle that and moving such sessions to the new database failed. Such sessions are now handled correctly by the upgrade process.

PAM-8465

The RDP domain membership configuration is displayed even if the appliance was not a member of the domain

The RDP domain membership configuration was displayed even if the appliance was not a member of the currently configured domain. From now on, it is displayed only if the appliance is member of the currently configured domain. The status of the appliance (joined or not) is also displayed.

PAM-8372

Insufficient error handling during external indexer initialization

If an indexer failed to start up for some reason, in some scenarios it asked for the password for the decryption key for the trails instead of recognizing and logging the error. This is now fixed and startup errors are handled properly.

PAM-8329

No warnings about encrypted sessions on the new search interface

The Search > Search page did not warn the user if a session could not be played back because it was encrypted and the decryption key was not available in the keystore. This is now fixed and users get a warning that helps them solve the issue.

PAM-7585

"Search subchapters" page only available to the "admin" user

The "Search subchapters" report configuration page was only accessible to the "admin" user. The permission handling of this page has been corrected and it can be accessed by other users as well if they have the required Access Control rights.

PAM-7136

Configuration interface is unresponsive during session database upgrade

The System Monitor shows the status of the session database upgrade process. Unfortunately, the way it queryied the current status was highly inefficient, which could significantly slow down the entire web interface if the database being upgraded was large. The status check is now much more efficient and the UI remains responsive even during the upgrade.

PAM-6204

System requirements

Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating