Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.3.1 - Release Notes

Deprecated features

Apache lucene database

In SPS 7.0 LTS, One Identity modified the search for screen content in session data to use the Elasticsearch database only. The Apache lucene database support is phased out, but the query language remained lucene-like.

After the switch to the Elasticsearch database, you will be able to access content stored in an Apache lucene database only if you regenerate the content with the reindex tool. For more information, see Regenerate content stored in lucene indices.

Due to the removal of lucene indices, users are not able to search for content in lucene indices with the content request parameter on the /api/audit/sessions and /api/audit/sessions/stats endpoints.

For more information, see "Searching in the session database with the basic search method" in the REST API Reference Guide and "Session statistics" in the REST API Reference Guide.

Additionally, in Reporting, statistics subchapters that included the audit_content filter will not work. Alternatively, you can use Search-based subchapters with the screen.content filter to create statistic reports from connection metadata that included a specific content in the audit trail.

For more information, see "Creating search-based report subchapters from search results" in the Administration Guide.

Content search option deprecation

On the Search page, the Content search option has been deprecated.

Advanced statistics

Creating statistics from custom queries using the Reporting > View & edit subchapters > Advanced statistics page has been deprecated. The /api/configuration/reporting/custom_subchapters REST API endpoint has also been deprecated.

During the upgrade process, existing advanced statistics subchapters and their references are removed from the SPS configuration. Additionally, advanced statistics ACLs assigned to user groups are also removed from the SPS configuration. Note that if a user group only had the advanced statistics ACL assigned under Users & Access Control > Appliance Access, the whole ACL entry is removed during the upgrade process.

Alternatively, you can use search-based subchapters to query connection metadata. For more information, see "Creating search-based report subchapters from search results" in the Administration Guide.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 7.3.1
Resolved Issue Issue ID

Typo on Connection wizard page.

In the Connection created page of Connection Wizard, the SPS address was missing. This has been corrected.

340527

Screenshot generation permission error notification is too eager to appear.

If a user with read permission tried to view an already generated screenshot, SPS displayed a screenshot generation error. This issue has been corrected, and now the screenshot generation permission error is displayed only if the user who wants to generate a screenshot does not have read and write permission in the search access control list.

340529

Login Options LDAP servers: Missing validator for the same addresses.

A validator has been added for the address list of the LDAP servers, to prevent the users from saving the list if there are multiple addresses with the same hostname and port. The address list must contain unique value pairs.

340563

License problem not apparent on side menu.

In the About menu, the warning icons were not displayed when the extendable panels were closed. This has been corrected, and now, if there are warnings, the warning icons are displayed even if the expandable panels are closed.

340598

In Login options, if an LDAP server was configured as the authentication backend for SAML2, after closing and re-opening Login options, the LDAP server was not displayed in the drop-down and could not be selected as a SAML2 login option. This issue has been corrected.

387231

The Audit data retention period field of Audit data cleanup policy was missing type validation. This has been corrected and the error messages on this page have been updated.

387964

Too many configuration elements can cause reference_id error on the UI.

Committing extremely large configuration changes on the web GUI could fail with the error "Form reference id received does not match stored value". This has been fixed and now such extremely large configuration changes are possible within a single commit. Also, the error message has been reworded to better describe the error condition and its possible resolutions.

403615

The permitted redirect devices in the RDP channel policy were not saved in the configuration during the commit. This issue has been corrected.

406786

The RAID status is not displayed after the installation.

Previously, at the end of the installation of Safeguard 4000, the RAID sync status was not displayed. This issue has been corrected.

407479

Connection to a remote SSH server running OpenSSH 7.4, or older, through SPS can fail.

If the relayed authentication method was set to 'Public key' with 'Agent' selected for an SSH Authentication policy and the target SSH server was running OpenSSH 7.4, 7.3, or 7.2, connecting to the server through SPS could fail.

In this case, the following line was written in the log: "Client side public key signature algorithm is unsupported by the server; signature_algo='...' "

This issue has been fixed. Public key authentication to remote SSH servers running OpenSSH 7.4, 7.3, or 7.2 now works.

415489

The network interface order was wrong on the 4000 series appliances, which caused that High Availability configuration is not working even with proper cabling. This issue has been corrected.

424781

There was a legacy RAID status checking during the precheck phase, which failed on the 4000 series appliance. The legacy RAID status checking is deprecated and a new precheck procedure has been introduced.

425584

Table 2: Resolved Common Vulnerabilities and Exposures (CVE) in release 7.3.1
Resolved Issue Issue ID

cloud-init:

CVE-2023-1786

erlang:

CVE-2022-37026

freetype:

CVE-2023-2004

ipmitool:

CVE-2020-5208

ldb:

CVE-2023-0614

libwebp:

CVE-2023-1999

libxml2:

CVE-2023-28484

 

CVE-2023-29469

linux:

CVE-2022-3108

 

CVE-2022-3903

 

CVE-2023-1281

 

CVE-2023-1829

 

CVE-2023-26545

openjdk-17:

CVE-2023-21930

 

CVE-2023-21937

 

CVE-2023-21938

 

CVE-2023-21939

 

CVE-2023-21954

 

CVE-2023-21967

 

CVE-2023-21968

openssl:

CVE-2023-0464

 

CVE-2023-0465

 

CVE-2023-0466

samba:

CVE-2023-0614

 

CVE-2023-0922

sqlparse:

CVE-2023-30608

sudo:

CVE-2023-2848

 

CVE-2023-28486

 

CVE-2023-28487

vim:

CVE-2021-4166

 

CVE-2021-4192

 

CVE-2021-4193

 

CVE-2022-0213

 

CVE-2022-0261

 

CVE-2022-0318

 

CVE-2022-0319

 

CVE-2022-0351

 

CVE-2022-0359

 

CVE-2022-0361

 

CVE-2022-0368

 

CVE-2022-0408

 

CVE-2022-0413

 

CVE-2022-0443

 

CVE-2022-0554

 

CVE-2022-0572

 

CVE-2022-0629

 

CVE-2022-0685

 

CVE-2022-0714

 

CVE-2022-0729

 

CVE-2022-1629

 

CVE-2022-1674

 

CVE-2022-1720

 

CVE-2022-1733

 

CVE-2022-1735

 

CVE-2022-1785

 

CVE-2022-1796

 

CVE-2022-1851

 

CVE-2022-1898

 

CVE-2022-1927

 

CVE-2022-1942

 

CVE-2022-1968

 

CVE-2022-2124

 

CVE-2022-2125

 

CVE-2022-2126

 

CVE-2022-2129

 

CVE-2022-2175

 

CVE-2022-2183

 

CVE-2022-2206

 

CVE-2022-2207

 

CVE-2022-2304

 

CVE-2022-2344

 

CVE-2022-2345

 

CVE-2022-2571

 

CVE-2022-2581

 

CVE-2022-2845

 

CVE-2022-2849

 

CVE-2022-2923

 

CVE-2022-2946

 

CVE-2022-2980

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 3: General known issues
Known Issue

Reporting does not handle the fallback values of the search schema properly.

This issue occurs when a user sends a POST request to the https://SPS_IP/api/configuration/reporting/restbased_subchapters endpoint and creates a restbased_subchapter that contains a field with a date type in its fields value list.

From SPS 7.3.0, this issue can be triggered on the SPS web UI too, under the "Reporting" > "Create & Manage Reports" menu item, if a user creates a search-based subchapter with a date type column by pressing the "View & edit subchapters" button. The bug can be found in the generated report if a date type field did not have a value in a session in the report, and instead of the expected n/a, an empty returned value ("") is displayed.

The api/audit/sessions endpoint cannot return fields of complex objects nested in lists.

When the api/audit/sessions endpoint receives a query where the fields parameter is provided with list type fields, then these fields will be missing from the response, for example: vault.reviewed.* and vault.approved.*.

Search-based subchapters present some data as missing, regardless of their actual status.

When trying to create a report with subchapters that include the fields listed below, n/a will be presented in the report for these fields, even if data is stored in the database for those fields.

Known affected fields:

  • Reviewed user id

  • Reviewed user name

  • Reviewed domain name

  • Reviewed user display name

  • Reviewed client ip address

  • Reviewed comment

  • Reviewed timestamp

  • Approved user id

  • Approved user name

  • Approved domain name

  • Approved user display name

  • Approved client ip address

  • Approved comment

  • Approved timestamp

Caution:

After upgrading to version 7.0 LTS, SPS requires a new license. To avoid possible downtimes due to certain features not being available, before starting the upgrade, ensure that you have a valid SPS license for 7.0 LTS.

Upgrade as follows:

  1. Perform the upgrade to 7.0 LTS with your current license.

  2. Update your SPS license to 7.0 LTS.

For a new SPS license for 7.0 LTS, contact our Licensing Team.

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

Table 4: General known issues
Known Issue Issue ID

External indexer disconnected due to certificates expiry.

You are only affected by this issue if you have enabled external indexing while running SPS version 6.0.4 or 6.4.0 or later where the external indexer certificates were created with a limit of 800 days.

To resolve this issue, see External indexer disconnected due to certificates expiry (4368875) (oneidentity.com).

PAM-16883

System requirements

Before installing SPS 7.3.1, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating