Release Notes 10.x - 19.x
19.2
PrivX 19.2 version addresses some of the issues found in previous versions.
Improvements and bug fixes
- [PX-4295] Smart card authentication does not work. No smart card icon is shown on Windows Server 2016 logon screen
- [PX-4341] Requests to /status endpoint in proxies/mitms may cause unnecessary extender / carrier / web-proxy related calls
- [PX-4349] Document max_instances config variable in extender / carrier / web-proxy toml templates
- [PX-4396] Refresh-verify cookie does not have expire time
19.1
19.1 is a maintenance release over 19.0.
- [PX-4144] RoleContext role blocked incorrectly
- Security fixes
19.0
Deprecation warnings
CentOS 8 support will be terminated once the operating system reaches end of life (around December 2021). PrivX support will continue normally on other supported platforms.
18.0
Important Notes
Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 18:
Install PrivX-18 RPM without automatic postinstall:
# SKIP_POSTINSTALL=1 yum install PrivX-18.0-....
Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
Run postinstall manually:
# /opt/privx/scripts/postinstall.sh
Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.
License Upgrade for Future Upgrade Support
If your initial PrivX deployments started with version 15 or earlier it is likely running with a Nalpeiron license, which will be unsupported in future PrivX releases. To enable upgrading to future PrivX versions, request and set up a new license according to Converting to New License Format.
Upgrading to the Latest Version
- Upgrading to this version is supported from three previous major versions (17.x, 16.x, 15.x)
- If you are planning to upgrade from an older version, please contact support.
Supported Releases
We produce security and stability fixes for the three latest major releases (18.x, 17.x, 16.x).
New Features
- [PX-2336] VNC protocol support
- Graphical VNC connections via PrivX GUI
- Video playback for VNC session recordings
- Note: Requires SSH service for tunneling. For more information about setting up VNC connection targets, see Setting up Hosts
- [PX-2496] Licensed host count changes, disabling unlicensed hosts
- [PX-3112] SOCKS and http proxy support for SSH Bastion
- When paired with public-key authentication, connections via SSH Bastion can be automatically authenticated against PrivX. For more information about SSH-Bastion connections via ProxyCommand, see SSH Connections with Native Clients
- [PX-3219] Additional settings configurable via the PrivX GUI, under Administration→Settings
- [PX-3351] Customizable SSH certificate template support for PrivX. Allows GitLab and GitHub certificate authentication via PrivX.
- [PX-3534] Support static IP addresses for PrivX license backend
- [PX-3619] Role request search
- [PX-3628] Restart PrivX from GUI, under Administration→Settings
- [PX-3663] Support for OAuth2 server endpoint for fetching PrivX access tokens
- [PX-3670] Support for SCIM server directory type for importing users and hosts
- [PX-3702] Support for initialization and availability status in file transfer
- [PX-3721] Create directory, file & directory rename, and file & directory move support
- [PX-3734] Paste on right click in SSH
- [PX-3748] Support display_path in addition to path in file transfer LS command
- [PX-3761] Allow host/subnet specific SFTP protocol version override
Improvements
- [PX-2521] License max hosts & max audited hosts enforcing in proxies and Bastions
- [PX-2742] LDAP-rule error should also describe the role name as well as offending rule
- [PX-2853] user-store: listen at a different port than 8084 due to omsagent Network Performance Monitoring (npm) solution
- [PX-3387] Include PrivX EULA in all binary packages
- [PX-3392] Add SSH Terms and Conditions/Service agreements to all PrivX components
- [PX-3393] Pre-fill default username on PrivX login page
- [PX-3428] Added TLS 1.3 support for PrivX web connectivity
- [PX-3441] Audit events for hosts do not show the modifications for the host
- [PX-3473] Audit events do not show who approved the request
- [PX-3474] Approved workflow requests disappear from other approvers
- [PX-3551] Service env variables must survive upgrades
- [PX-3616] Keywords search to access requests
- [PX-3679] GUI for host disabling/enabling
- [PX-3689] Additional fields to audit events
- [PX-3727] Log host tags to audit events
- [PX-3860] Support for container machine ids for PrivX licenses
Bug Fixes
- [PX-1980] Most audit events are missing username information
- [PX-2085] Cannot follow symlinks with PrivX SFTP client
- [PX-2665] Cannot reuse service address before host is deleted permanently from the database
- [PX-3269] Role comments are shown to all users on home page.
- [PX-3328] Create Vault API wrong response
- [PX-3456] RDP session with native client through PrivX drops, inconsistent with other RDP scenarios
- [PX-3581] deploy.py --clean and --show-config return exit code 1
- [PX-3583] Disabling a directory doesn't delete the hosts
- [PX-3586] Too long service address or foreign-key violation results in duplicate service address error
- [PX-3588] RDP resizing: connection reconnected without resizing browser
- [PX-3631] SSH proxy does not show banner messages
- [PX-3637] Multipart/form-data logins for web service will fail, if password field name is defined in web service config
- [PX-3638] Fix excludeMultiplePermissions()
- [PX-3642] Duplicate entries in host store blocking connections to both hosts
- [PX-3643] Webpage rendering issue when moving from full screen RDP session to PrivX homepage
- [PX-3653] SSH cert auth failing for personal account when mapped to multiple roles
- [PX-3656] timeout_when_no_connmgr is in minutes (not seconds)
- [PX-3678] ssh-mitm must not forward hostkeys-00@openssh.com global requests
- [PX-3699] Extender status not displayed under Service Status
- [PX-3700] LTS11 to LTS17 upgrade: directory setting not moved
- [PX-3701] RHEL8 missing local-env placeholder file
- [PX-3704] login-rate-limit: too_many_attempts error code is not shown when exceeding burst_size_limit
- [PX-3707] - Optional components not displayed in the GUI
- [PX-3709] rdp-proxy panics if DPI params not received
- [PX-3714] SSH Bastion: publickey client authenticated connections fail when target connection uses keyboard-interactive auth with stored passphrase
- [PX-3720] Creating directories with the RDP file transfer API makes directories that are not possible to upload to
- [PX-3733] rdp-proxy: file transfer API command "MV" does not work correctly
- [PX-3735] Upgrade failed on migration-tool
- [PX-3737] SSH Bastion: tunnel file transfer API request path validation is too strict
- [PX-3738] ssh-proxy: file transfer API request path validation is too strict
- [PX-3740] Skip connectivity test for VNC connections and allow extender connections via SSH tunnel
- [PX-3743] Data copied to clipboard in PrivX UI is stored into connection's audit trail
- [PX-3746] SFTP protocol version 4 is broken
- [PX-3799] Increase allowed maximum values for some settings properties
- [PX-3810] Old /help is still defined in nginx conf
- [PX-3811] nginx conf for status and robots.txt are incorrect
- [PX-3812] Secret editor field font should not default to monospace when using custom schemas
- [PX-3813] Host modified-event does not unescape services when showing diff
- [PX-3814] Nginx conf issues
- [PX-3819] license-manager might panic on license deactivation/activation
- [PX-3821] Prefilled username in login is wiped after failed login
- [PX-3824] License invalidation / host disabling does not cut ongoing connections
- [PX-3826] Connection-authenticated (301) event not consistent
- [PX-3839] HSTS header validity period fixes
- [PX-3841] License refresh and analytics enable/disable fails in one instance in HA env after license has been deactivated
- [PX-3868] Increased RDP file transfer buffer to 2 MB for compatibility
- [PX-3874] Fixed LDAP library panic after badly timed socket close
- [PX-3878] Connection manager panic during shutdown
Known Issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
17.1
This is an incremental release over 17.0.
Excluding issues related to PX-3707 Optional components not displayed in the GUI, the Important Notes and ### Known Issues** from 17.0 also apply to this release.
Bug Fixes
- [PX-3699] Extender status not displayed under Service Status
- [PX-3707] Optional components not displayed in the GUI
- [PX-3714] SSH Bastion: public-key client authenticated connections fail when target connection uses keyboard-interactive authentication with stored passphrase.
17.0
Important Notes
New Streamlined HA Upgrades
Keyvault config files are now automatically synchronized between PrivX servers and do not need to be copied manually. For more information about HA upgrades, see High-Availability Deployment: Upgrade.
Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 17:
Install PrivX-17 RPM without automatic postinstall:
# SKIP_POSTINSTALL=1 yum install PrivX-17.0-....
Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
Run postinstall manually:
# /opt/privx/scripts/postinstall.sh
Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.
License Upgrade for Future Upgrade Support
If your initial PrivX deployments started with version 15 or earlier it is likely running with a Nalpeiron license, which shall be obsoleted in a future PrivX release. To enable upgrading to future PrivX versions, request and set up a new license according to Converting to New License Format.
Reset Custom Disclaimers
Custom disclaimers are reset during upgrade. You should back up your custom disclaimers before upgrade, then recreate them after upgrade. For more information about setting custom disclaimers, see Custom Disclaimers.
Automatic Removal of Duplicate Services
Previous versions allowed entering duplicate host-service addresses, which were not supported and may have resulted in undefined behavior. When upgrading to this version, duplicates are automatically removed. For details about any removed services, check the installation logs.
Optional components not displayed in the GUI (updated on Mar. 8th, 2021)
Optional components (PrivX Extender, PrivX Carrier and PrivX Web Proxy) are not visible in the PrivX admin UI status page. The issue will be fixed by PrivX 17.1 point release
Upgrading to the Latest Version
- Upgrading to this version is supported from three previous major versions (16.x, 15.x, 14.x)
- If you are planning to upgrade from an older version, please contact support.
Supported Releases
We produce security and stability fixes for the three latest major releases (17.x, 16.x, 15.x).
New Features
- [PX-1694] - Deployment script will notify user, if OpenSSH version is too old. New configuration flags for deploy script.
- [PX-2311] - Allow filtering users on OIDC source level
- [PX-3217] - Administer PrivX settings via WebUI (rolestore,hoststore,monitor and trailindex)
- [PX-3337] - Possibility to remove old connection metadata.
- [PX-3350] - Filter for connections with access roles
- [PX-3357] - Change default behavior to open connection in a new tab
- [PX-3424] - Renaming of navigation items on WebUI
- [PX-3479] - Copy on select in SSH terminal.
- [PX-3540] - Support for ctrl-shift-c and ctrl-shift-v in the SSH web client.
- [PX-3492] - Synchronized clipboard support for web RDP on Chrome and Edge browsers.
Bug Fixes
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
- [PX-1903] - User and audit event searching: Inconsistent behavior with special offset and limit values
- [PX-2094] - Services handle search params in a non-consistent way
- [PX-2163] - 'PrivX Configuration' host setting is not enforced
- [PX-2946] - Multiple directories scanning the same cloud hosts update the same hosts in db
- [PX-2948] - Race condition in host-store service uniqueness check
- [PX-2992] - Backend accepts negative values for floating time in direct role assignment
- [PX-3033] - Allow HA upgrade without copying config files between HA nodes
- [PX-3071] - Keydown gets stuck for web carrier connections
- [PX-3242] - Use (dn= instead of (cn= in superuser default and documentation
- [PX-3251] - Housekeeping for workflow_roles table
- [PX-3290] - Add a permission for granting access roles to audited connection
- [PX-3311] - Web login does not fill credentials on HP iLO 4 or Dell iDRAC environments. See Carrier config file for details.
- [PX-3316] - services read config files in wrong order
- [PX-3317] - services missing db related attributes in service-specific tomls
- [PX-3325] - Role permission error with two user directories
- [PX-3332] - Add "View" menu items to hamburger menus where items have detail pages.
- [PX-3339] - Guacd segfault after resizing browser multiple times
- [PX-3340] - Change "extender" to "web access gateway" for consistency.
- [PX-3346] - Remove HostServices cache and enforce service address uniqueness at db level
- [PX-3349] - Hyphen (-) is not allowed in api client name
- [PX-3372] - Access roles for transcript search
- [PX-3375] - Audit events do not log year or node info to timestamps
- [PX-3382] - Caching: creating and getting resources immediately sometimes return 404 not found
- [PX-3413] - Correct spelling of "log in" when used a verb
- [PX-3414] - authorizer / connection manager: enhanced auditevents and connection metadata w.r.t principal key authentication
- [PX-3420] - privx-agent-ctl does not show directory username in target selection list
- [PX-3433] - New command line options for deploy script
- [PX-3437] - Generating keyvaults keys cannot handle some special characters in init_db.sh script
- [PX-3442] - Misleading error is returned if api client do not have a valid permissions for ops
- [PX-3444] - Role-store returns non-existing users in role member listing
- [PX-3445] - Show all connections with access roles
- [PX-3451] - Search by deleted access role respond with result(s).
- [PX-3453] - Add some username length validations for hosts
- [PX-3460] - initial_install.sh does not check value of env var PRIVX_DISABLE_SELINUX
- [PX-3466] - Connection search as service returns invalid results
- [PX-3472] - Disclaimer JSON is not validated
- [PX-3485] - Wrong Native Client Address is shown to customer
- [PX-3501] - Caching issue: search returns count of 50 when there are 52 entries in the database
- [PX-3513] - Clipboard download for web connections doesn't work
- [PX-3523] - Settings: invalid scope in URL does not result in some forms of 4xx error
- [PX-3526] - Updating a user with a duplicate tag is possible.
- [PX-3528] - LDAP default user filter does not work
- [PX-3536] - Service-starting event missing for settings service
- [PX-3542] - API: wrong permission enums used in API tests
- [PX-3547] - Carrier web sockets: Firefox certstore does not accept all certificates in the bundle
- [PX-3567] - License manager: panic found in system test
- [PX-3571] - RDP/Web windows resize: resizing is not triggered when PrivX browser is resized during RDP/Web connection initialization
- [PX-3572] - Some available RDP keymaps are missing from the UI
- [PX-3573] - License manager: set_license.sh no longer works out of the box
- [PX-3576] - access-role-revoked audit event is triggered without any real temporary access being revoked
- [PX-3584] - Firewall commands are not run in postinstall if SELINUX is disabled
- [PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
Improvements
- [PX-2334] - Simplified certificate login allowing roles to be created for accessing host without reconfiguring target hosts. This is an alternate way for configuring hosts.
- [PX-3026] - API documentation improvements
- [PX-3446] - Officially support Amazon Linux
- [PX-3505] - Allow filtering out AWS roles by name
- [PX-3516] - Add external ID support for assume-role requests for additional security
- [PX-3525] - Allow fetching assume-role temporary credentials for roles on other AWS accounts
- [PX-3530] - Allow fetching temporary AWS API tokens via API clients
- [PX-3532] - Common env variable file for services
- [PX-3641] - Remove duplicate host-service addresses on install.
Known issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-1980] - Several audit events are missing username information.
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
[PX-3637] - Multipart/form-data logins for web service will fail, if password field name is defined in web service config
[PX-3707] - Optional components not displayed in the GUI
16.1
2020-12-08
Bug fixes and improvements
- Bug fix for fetching cloud metadata with license
16.0
2020-11-24
Important notes for this release
Version 16 introduces a fix for Extenders in HA deployments where the load-balancer IP address is dynamic. If you run such an environment you will need to update your Extenders' configurations and certificates. To do this, perform the following after regular upgrade steps:
- Set privx_public_ip_address = ” ” in /opt/privx/etc/shared-config.toml and restart PrivX:
# systemctl restart privx
- Unregister your Extenders.
- Re-obtain certificates by running the following on your Extenders:
# opt/privx/scripts/extender-postinstall.sh --request-cert
- Re-download Extender configurations to your Extenders.
- Apply changes by restarting Extender services:
# systemctl restart privx-extender
If you are performing a fresh install while having a license from prior to this release, you will need to request a new license from licensing@ssh.com
New features
- [PX-273] - Ephemeral private key rotation for SSH
- [PX-1697] - Allow using AWS role ARN to scan hosts on other AWS accounts
- [PX-2027] - Support principal key import for roles
- [PX-2714] - Connection duration to connection-closed event
- [PX-2722] - Authentication to PrivX via SSH Bastion using public key
- [PX-2731] - Allow access to connections using access roles
- [PX-3182] - Allow defining web host specific domain restrictions for web access
- [PX-3194] - Add advanced search helper description to search fields.
- [PX-3224] - Disclaimer improvements
Bug fixes and improvements
- [PX-2909] - Override SSH algorithms per target host or pattern
- [PX-2912] - Add the license backend address to the license page
- [PX-2965] - Fixed connection-manager status check for RDP Bastion playback
- [PX-2994] - Support dynamic ELB endpoint: shared-config.privx_public_ip_address can not be set to a reasonable value with ELB
- [PX-3147] - Show host comments on connections page
- [PX-3177] - Default disclaimer example in shared-config.toml is invalid
- [PX-3179] - If host scanning or tag import is disabled, hosts deployed with deploy script don't have any names
- [PX-3180] - Focus can go to login form despite popup disclaimer
- [PX-3185] - Remove extra event attribute on connection page search results
- [PX-3191] - Contextual role restrictions do not work for API clients
- [PX-3199] - Race condition in SSH Bastion channel close
- [PX-3232] - Unused cache configs on rolestore.toml
- [PX-3233] - Auth service should use unified audit event keys
- [PX-3234] - RDP file upload fails if 'Overwrite existing files' is checked and file does not exist on target
- [PX-3257] - Panic in host-store house-keeping
- [PX-3264] - Race condition is auth service startup
- [PX-3266] - Expose API clients as role-store users
- [PX-3274] - Prevent granting access role to connection for already granted roles
- [PX-3280] - The PrivX UI / help documents get indexed by crawlers
- [PX-3291] - API clients are not allowed to access workflow engine APIs
- [PX-3301] - Google GSuite is nowadays Google Workspace
- [PX-3302] - trail-index: crash when attempting playback for trail with missing files
- [PX-3306] - Fix data validations for workflow-engine requests
- [PX-3315] - Workflow : add role through API but system marks the role added as ROLE REMOVED
- [PX-3318] - Notification mechanism does not work well with local caches
- [PX-3329] - PrivX web proxy does not support text/x-gwt-rpc content type
- [PX-3353] - Fixed installation and backup restore issue for PostgreSQL 11. Added support for PostgreSQL 13.
- [PX-3354] - Allow sending keycodes via menu for RDP/web containers
- [PX-3356] - Forwarded connection failed where it is expected to succeed
- [PX-3365] - Prevent Extender name and routing prefix namespace clashes when modifying or unregistering Extender.
Note: For existing deployments, ensure your Extenders and routing prefixes have unique names. - [PX-3368] - Directory login is attempted even if directory has been disabled
- [PX-3370] - Prevent superuser creating trusted clients with too broad permissions
And security fixes
Known issues
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
- Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
- [PX-1980] - Several audit events are missing username information.
- [PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
- [PX-2947] - No sound when viewing recorded rdp-mitm connection.
- [PX-3086] - PrivX role mapping to AD OU not working as expected.
- [PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
15.1
2020-11-24
PrivX 15.1 is an incremental release over the previous version 15.0, introducing security and stability fixes.
15.0
2020-10-01
Important notes for this release
For fresh installations of PrivX version 15 and later, the default audit-event and trail-retention time has been changed to 180 days (used to be unlimited).
Upgrading to this version from 12.x may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
New features
- [PX-1238] - Feature to sort/search hosts by status (running, stopped..)
- [PX-2693] - Roles for API clients
- [PX-2729] - Restrict role requests with a role permission
- [PX-2730] - License-manager statistics collector (disabled by default)
- [PX-2986] - Inform user that sessions will/might be recorded
- [PX-3005] - Option for showing disclaimer messages for PrivX users at login
- [PX-3085] - Saved searches UI
- [PX-3120] - Better indication for when you try to add an invalid role
- [PX-3122] - Improve tolerance to broken role rule trees
- [PX-3125] - Less intrusive style for find box in terminal
- [PX-3128] - RDP clipboard style refinements
- [PX-3129] - Support shift-enter to search backwards in terminal
- [PX-3134] - Implicit pick on blur
- [PX-3136] - Auto complete tag with 0 chars
- [PX-3139] - More robust UI if service options are missing for a service
- [PX-3142] - Filter roles only if they don't have a principal key - not based on name
- [PX-3156] - Don't use tag auto complete if user doesn't have permissions
Bug fixes and improvements
- [PX-2349] - privx-admin and privx-user roles don't have public keys
- [PX-2626] - Email notification is not sent for the user When access request is created on behalf of another user
- [PX-2740] connection-manager: terminating SSH connection triggers trail-open-failed event
- [PX-2966] - Error when editing scanned hosts
- [PX-2968] - approvals tab to show all the processed records regardless of role restriction
- [PX-2971] - Reduce microservice I/O causing TIME_WAIT sockets
- [PX-3001] - go routine leak in directory and host scan and in cloud events lib
- [PX-3002] - Azure event logger is broken
- [PX-3006] - Browser text search on PrivX SSH terminal does not work
- [PX-3007] - Web Proxy does not support sites using Authorization: Basic header on regular login page
- [PX-3011] - monitor-service sql query for getting/deleting components is unnecessarily complex
- [PX-3012] - monitor-service status endpoint has a race condition related to system stats
- [PX-3038] - Carrier browser container firefox version is always the latest available
- [PX-3044] - Workflow-engine crashes when creating role with name longer than 128 characters
- [PX-3050] - Using LDAP directory type for Active Directory causes "User not found" errors
- [PX-3053] - workflow-engine: gomail lib is forcing the username to be an email address
- [PX-3066] - deploy.py does not set file permissions correctly with non-default umask
- [PX-3067] - Incorrect version table name for license manager
- [PX-3069] - workflow-engine: approvals tab lists requests incorrectly
- [PX-3072] - tags search is not case insensitive
- [PX-3081] - license-manager crash on entering license key
- [PX-3090] - deploy.py, sys.stdin.encoding returns None on some envs
- [PX-3107] - role-store: floating role activation may drop other explicit roles from the user
- [PX-3123] - Userstore upgrade does not set all fields when creating roles. Rolestore does not force IPMask validity
- [PX-3127] - workflow-engine - When user is not allowed to view the request the error code should be 403
- [PX-3130] - Cannot create host with API client
- [PX-3131] - Role created from api client does not have public key
- [PX-3138] - rdp-proxy and ssh-proxy playback endpoints should require privx-user permission
- [PX-3149] - privx-agent: nohup not working as expected
- [PX-3150] - UI: "Overwrite existing files" option allows multiple concurrent uploads of the same file
- [PX-3154] - rdp-proxy: playback crash when attempting playback for trail with missing files
- [PX-3158] - Crash when logging out on workflow page
- [PX-3159] - Can't create log collector
- [PX-3161] - Work-around for stuck keys in RDP / Web sessions
- [PX-3175] - Create proper indexes to audit_event table
- [PX-3178] - Connection manager does not handle empty keywords in connection search
Known issues
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
PX-1980] - Several audit events are missing username information.
PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
PX-2738] - privx-on-aws deployment fails, if one stack already exists
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
14.3
2020-11-24
PrivX 14.3 is an incremental release over the previous version 14.2, introducing security and stability fixes.
14.2
2020-09-25
PrivX 14.2 is an incremental release over the previous version 14.1.
Important upgrade notes
Upgrading from a version older than 13.0 is now faster. Version 13.0 contains a database change that is now working more efficiently.
Improvements:
- [3169] Audit event migration more efficient
Known issues
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] Several audit events are missing username information.
- [2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
14.1
2020-08-03
PrivX 14.1 is an incremental release over the previous version 14.0, featuring security and stability fixes.
Important upgrade notes
Upgrading to this version from 12.x or earlier may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
Notable fixes and improvements
- [2991] Security and stability fixes incoming in go 1.14.5
- [2999] Japanese charsets not supported properly on web container
- [3000] Admin cannot grant API client access-groups-manage permission
- [3010] Monitor-service housekeeping leaks prepared statements
- [3013] Host-store host health check may leak go-routines
- [3016] Clean up db queries in host-store host health check
- [3018] Duplicate Extender or Carrier registration will clear routing prefix table for the carrier name on registration rejection
- [3020] Cannot create Google GSuite user dir
Known issues
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] Several audit events are missing username information.
- [2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
14.0
2020-06-29
Important upgrade notes
Upgrading to this version from 12.x or earlier may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
New features
- [1683] - Access groups to enable segregating and delegating host administration
- [2518] - Secret Data Vault
- [2649] - Support for Thales Vormetric DSM
- [2782] - High-Availability configuration for extender/carrier
- [2833] - Role restrictions time zone improvements
Notable fixes and improvements
- [2733] Invisible PrivX-Agent icon on some Windows 10 instances.
- [2740] Terminating SSH connection triggers trail-open-failed event.
- [2779] - Replace sudo with su on installation scripts
- [2818] Ignore server_mode for SSH transcripts.
- [2836] - Show also the role context limitations with the role listing on the user page
- [2848] - Avoid housekeeping audit events spamming
- [2961] - Azure Active Directory OIDC integration not working after Microsoft changes synchronization
- [2967] Role context restriction enforcement fixes
Known issues
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] Several audit events are missing username information.
- [2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
13.2
2020-08-05
PrivX 13.2 is an incremental release over the previous version, featuring security and stability fixes.
Important upgrade notes
Upgrading to this version from 12.2 or earlier may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
Notable fixes and improvements
- [3020] Cannot create Google GSuite user dir
- [3029] - Upgrade golang to version 1.14.5
Known issues
- [789] When DB connection fails status.html does not show the reason
- [852] Listing users may time out for directories with more than 100K users
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] Several audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2626] Email notification is not sent for the user when access request is created on behalf of another user.
- [2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
- [2675] When there is only one privx-admin user, that user cannot be modified in any way.
- [2733] Invisible PrivX-Agent icon on some Windows 10 instances.
- [2740] Terminating SSH connection triggers trail-open-failed event.
- [2818] Ignore server_mode for SSH transcripts.
13.1
2020-05-25
Important upgrade notes
Upgrading to this version from 12.x or earlier may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
Notable fixes and improvements
- [2835] Allow managing roles outside their context restrictions, without triggering warnings.
- [2846] Upgrade no longer resets external user mapping, client-certificate configurations, group filters, nor host-filter tags.
Known issues
- [789] When DB connection fails status.html does not show the reason
- [852] Listing users may time out for directories with more than 100K users
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] Several audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2626] Email notification is not sent for the user when access request is created on behalf of another user.
- [2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
- [2675] When there is only one privx-admin user, that user cannot be modified in any way.
- [2733] Invisible PrivX-Agent icon on some Windows 10 instances.
- [2740] Terminating SSH connection triggers trail-open-failed event.
- [2818] Ignore server_mode for SSH transcripts.
13.0
2020-05-07
Important upgrade notes
Upgrading to this version may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
New features
- [13] Context-based roles, allowing you to restrict the validity of a role by weekday, time, and client IP.
- [1960] User-defined accounts: Allow users to freely specify the target-account name.
- [2414] Support for nCipher nShield as a HSM provider.
- [2487] Allow defining LDAP TLS trust anchors per directory.
- [2550] Allow users and API clients to view access requests.
- [2555] Support dedicating PrivX servers to front-end and/or back-end roles.
- [2586] Support certificate and public-key authentication on OpenSSH 8.2.
- [2606] Tag support for OpenStack hosts.
- [2674] Ability to specify NTP server during initial setup.
Notable fixes and improvements
- [817] Support ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [832] Disallow creating directories with same name and type.
- [836] Correctly warn about missing data in directory settings.
- [946, 1062] Correctly warn when attempting to create a local user or role with duplicate name.
- [989] Option for override prompt when attempting to upload a file with an existing name.
- [1226] Correctly display key and value in User Authentication Failed audit events.
- [1822] Correctly populate fields for AWS login even after changing region.
- [2012] Leading whitespaces in web targets are trimmed and no longer prevent autofill credentials.
- [2066] Correctly calculate non-ascii-password lengths.
- [2172] Postinstall correctly sets file permissions regardless of user’s umask.
- [2288] Search local users using tags.
- [2598] Support secure web sockets in web container on websites using self-signed certificates.
- [2604] SFTP file name with Chinese character does not show properly.
- [2613] SSH, RDP and Web connections can now use ports up to 65535.
- [2618] Fixed local-database setup with external PostgreSQL packages.
- [2620] Audit event for when trails are downloaded.
- [2628, 2753] Correctly report authentication method for stored credentials and password prompt over RDP Bastion.
- [2632] Backup and restore scripts now also back up local postgresql configuration files.
- [2636] Correctly show failure status for microservices where Redis is down.
- [2641] Fixed postinstall failure on RHEL 8 after restoring from backup.
- [2672] Postinstall now checks for failures from previous runs, and offers to clean up the previous installation.
- [2673] Missing PostgreSQL 9.2 data directory no longer fails reinstall.
- [2732] Correctly parse X-Forwarded-For headers set by Azure load balancers with default configuration.
- [2737] Sudden AD outages no longer terminate AD-user sessions with valid cache.
- [2743] After removing an account, the GUI displays correct information for the remaining accounts.
- [2746] With manual connections PrivX will never grant any role-based credentials, even when target servers would accept them.
- [2789] Fixed an issue that prevented components from the same IP being listed on the status page.
- [2790] Support ASCII case-sensitive user names for RDP connections.
- [2800] RDP-Bastion connection stays up after changing the virtual-container display size.
- [2812] Fixed Web container does not obey autohide_navibar=false
Known issues in this release
- [789] When DB connection fails status.html does not show the reason
- [852] Listing users may time out for directories with more than 100K users
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] Several audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2626] Email notification is not sent for the user when access request is created on behalf of another user.
- [2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
- [2675] When there is only one privx-admin user, that user cannot be modified in any way.
- [2733] Invisible PrivX-Agent icon on some Windows 10 instances.
- [2738] privx-on-aws deployment to same account and region fails if one stack already exists.
- [2740] Terminating SSH connection triggers trail-open-failed event.
- [2818] Ignore server_mode for SSH transcripts.
12.3
2020-08-05
PrivX 12.3 is an incremental release over the previous version, featuring security and stability fixes.
Known issues in this release
- [789] When DB connection fails status.html does not show the reason
- [817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [852] Listing users may time out for directories with more than 100K users
- [1057] Cannot parse scoped literal IPv6 addresses
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1240] Set proper ownership and permissions for /var/privx
- [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] HOST-STORE audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2544] In some cases initial post install may fail because Nginx cannot be restarted.
- [2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.
12.2
2020-05-12
PrivX 12.2 is an incremental release over the previous version 12.1, featuring security and stability fixes.
Important upgrade notes
If you are upgrading from PrivX version 12.0, you need to manually correct the SELinux context type of the NginX and PostgreSQL certificate files. To do this, run these commands on each PrivX server:
# chcon -t httpd_config_t /etc/nginx/ssl/nginx-internal.*
# chcon -t postgresql_db_t /var/lib/pgsql/data/server.*
After this, we recommend creating new backups before upgrading.
Notable Bug fixes and improvements
- [2718] Busyloop after disconnecting with xfreerdp
- [2767] Online license deactivation does not work
- [2780] Clients get stuck on connection-manager after websocket dies
Known issues in this release
- [789] When DB connection fails status.html does not show the reason
- [817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [852] Listing users may time out for directories with more than 100K users
- [1057] Cannot parse scoped literal IPv6 addresses
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1240] Set proper ownership and permissions for /var/privx
- [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] HOST-STORE audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2544] In some cases initial post install may fail because Nginx cannot be restarted.
- [2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.
12.1
2020-03-19
PrivX 12.1 is an incremental release over the previous version 12, featuring security and stability fixes.
Important upgrade notes
If you are upgrading from PrivX version 12.0, you need to manually correct the SELinux context type of the NginX and PostgreSQL certificate files. See fix [2624] for additional information.
Notable Bug fixes and improvements
[2613] SSH, RDP and Web connections can now use ports up to 65535.
[2618] Fixed local-database setup with external PostgreSQL packages.
[2624] Postinstall now sets correct SELinux context types for NginX and PostgreSQL certificate files.
Note: If you are upgrading from PrivX version 12.0, you need to first correct the SELinux context type of the NginX and PostgreSQL certificate files. To do this, run these commands on each PrivX server:
# chcon -t httpd_config_t /etc/nginx/ssl/nginx-internal.*
# chcon -t postgresql_db_t /var/lib/pgsql/data/server.*
After this, we recommend creating new backups before upgrading.
- [2641] Fixed issue where postinstall failed after restoring backup on RHEL 8.
Known issues in this release
- [789] When DB connection fails status.html does not show the reason
- [817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [852] Listing users may time out for directories with more than 100K users
- [1057] Cannot parse scoped literal IPv6 addresses
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1240] Set proper ownership and permissions for /var/privx
- [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files. - [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] HOST-STORE audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2544] In some cases initial post install may fail because Nginx cannot be restarted.
- [2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.
12.0
2020-03-04
PrivX 12 adds several user-authentication features, such as smart-card authentication and login-rate limiting. This version also includes plenty of stability and performance fixes.
New features
[1337] Support for restricting logins after a number of failed attempts. Useful for preventing brute-force-login attempts:
Restrict logins after failed attempts to a certain user from a certain IP.
Restrict logins after failed attempts from a certain client subnet.
[2246] Client-certificate (smart-card) authentication to PrivX.
Support client certificates from smart cards, and from browser storage.
Support for revocation-status checks via CRL and OCSP.
Note: enabling smart-card authentication in HA environments will require changes to load-balancer configuration for existing PrivX deployments.
[2381] Clipboard contents in RDP-session logs.
[2403] RDP-bastion support for forward credentials.
[2461] Settings for forcing password change on next login (for PrivX local users only).
Notable Bug fixes and improvements
- [1056] Ongoing connections are no longer disconnected automatically when ws_keepalive_interval_sec is set to 0.
- [1226] Correctly display user ID in User Authentication Failed events.
- [1239, 2476] Host scan no longer removes known targets after reaching license limits.
- [1762] Support copy-pasting to and from web connections.
- [1815] Correctly display CJK characters in web connections.
- [1914] Search supports unicode characters.
- [2304, 2507] Improved performance with Azure ADs with many groups.
- [2363] Include trust anchors in PrivX-Server backup and restore.
- [2387] RDP service no longer crashes when generating video for ongoing connections.
- [2479] Fixed browser window disappearing after toggling fullscreen mode.
- [2503] Correctly update GSuite/Azure Graph directory users when number of directory users becomes 0.
- [2514] Fixed login sometimes failing on Firefox after entering correct credentials.
- [2541] Fixed issues preventing successful postinstall with PostgreSQL 9.3, 9.4, 9.5, 9.6 and 12.
- [2543] Upgrade no longer changes configuration file’s permissions or ownership.
- [2552] Fixed issue preventing HA-instance restore.
- [2557] RDP: Do not attempt to update host certificate when host is not in host-store.
- [2559] Fixed restore script with PrivX servers using local PostgreSQL.
- [2574] Adding many accounts to hosts no longer cause index errors.
- [2575] Omit Process Step button from workflow mails for denied requests.
- [2582] Fixed connection-manager panic on client exit.
- [2589] Correct user name in RDP-connection audit events.
- [2598] Support web connections that use web-socket connections
Deprecation warnings
The vast majority of PrivX users are using modern browsers like Chrome, Firefox, Edge and Safari, with support for advanced security features and the latest web standards. Supporting Internet Explorer, which is only used by a very small fraction of all PrivX users, and which Microsoft is discouraging the use of, prevents us from adopting these modern web standards, to the detriment of all of our users. We have therefore decided to drop the support for Internet Explorer as of PrivX version 12, in order to better be able to focus our efforts on improving the user experience for all PrivX users.
Known issues in this release
- [789] When DB connection fails status.html does not show the reason
- [817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [852] Listing users may time out for directories with more than 100K users
- [1057] Cannot parse scoped literal IPv6 addresses
- [1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [1240] Set proper ownership and permissions for /var/privx
- [1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/" - [1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [1798] Authorizer crash with online license when no internet connectivity
- [1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component.toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
- [1875] Web proxy login does not work, if login page does requests to multiple domains
- [1980] HOST-STORE audit events are missing username information.
- [2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
- [2530] Web application web socket request error.
- [2544] In some cases initial post install may fail because Nginx cannot be restarted.
- [2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.
11.2
2020-05-12
PrivX 11.2 is an incremental release over the previous version 11.1, featuring security and stability fixes.
Notable Bug fixes and improvements
- [PX-2718] Busyloop after disconnecting with xfreerdp
- [PX-2767] Online license deactivation does not work
- [PX-2780] Clients get stuck on connection-manager after websocket dies
Known issues in this release
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information.
- [PX-2304] Azure Graph API user fetching is slow with large number of users.
- [PX-2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
11.1
2020-01-21
PrivX 11.1 is an incremental upgrade over the 11.0 release, introducing a bug fix for a licensing error removing known hosts.
Notable Bug fixes and improvements
[PX-2476] Hosts get removed when licensing error occurs during scan operation
Note: If re-enabling a host directory causes a license error (counts exceed), the hosts of the disabled directory are now visible in PrivX. It is the responsibility of the administrator to correct the licensing error either by removing hosts or services, and/or by disabling audit enabled flags in hosts.
Known issues in this release
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information.
- [PX-2304] Azure Graph API user fetching is slow with large number of users.
- [PX-2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
Carrier v11.1, 10.2 and 9.2
2020-01-20
This release for Carrier 11.1, 10.2 and 9.2 is an update to fix a critical vulnerability CVE-2019-17026 found in Firefox.
Fixed issues
- [PX-2475] - Updated Firefox due to critical vulnerability, CVE-2019-17026
11.0
2019-12-20
PrivX 11 introduces RDP native-client session recording via PrivX RDP Bastion, and adds several auditing features. This version adds support for CentOS and Red Hat Enterprise Linux 8.
New features
- [PX-1090] Support for nested group members in AD groups
- [PX-1242] Audit SSH/SCP/SFTP connections from native SSH clients (PrivX SSH Bastion)
- [PX-1807] Support for CentOS 8 and Red Hat Enterprise Linux 8 as PrivX servers
- [PX-1956] Session recording and playback for PrivX RDP Bastion
- [PX-2075] Host status monitoring
- [PX-2135] Indexing and searching for SFTP channels
- [PX-2134] Downloadable SSH-Bastion and web-connection channel logs
- [PX-2139] Interactive target selection for native-client SSH connections
- [PX-2160] Support filtering scanned cloud instances
- [PX-2180] Allow playback and search for exec channels with pty
- [PX-2325] New connection field on PrivX Home page
- [PX-2347] File transfer and clipboard auditing for RDP Bastion
Notable Bug fixes and improvements
- [PX-652] User search not using mapped attributes
- [PX-1805] The first web connection after installation always fails
- [PX-1869] Allow enabling host audit via host tags
- [PX-1915] Web credentials are not being stored or otherwise being passed correctly
- [PX-2061] Host-deployment script Python 3 compatibility
- [PX-2299] iOS 13 and MacOS 10.15 Catalina policy-compliant TLS certificate handling
- [PX-2300] Added setting to change the image scaling algorithm used by RDP web client
- [PX-2303] Automatic removal of removed hosts at specified times
- [PX-2309] RDP smart card login fails always when all target host service options are disabled
- [PX-2312] Web connections support HTTP Basic Authentication
- [PX-2319] Support Belgian-French keyboard layout
- [PX-2324] Improvements to Web credential autofill for non-standard ports
- [PX-2326] New connection page improvements
- [PX-2332] Unable to Post-Install to AWS RDS if user name is different to database name
- [PX-2368] RDP Bastion uses same bastion syntax as SSH Bastion
Known issues in this release
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information.
- [PX-2304] Azure Graph API user fetching is slow with large number of users.
- [PX-2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
10.2
2020-01-21
PrivX 10.2 is an incremental upgrade over the 10.1 release, introducing a bug fix for a licensing error removing known hosts.
Notable Bug fixes and improvements
- [PX-2476] Hosts get removed when licensing error occurs during scan operation
Note: If re-enabling a host directory causes a license error (counts exceed), the hosts of the disabled directory are now visible in PrivX. It is the responsibility of the administrator to correct the licensing error either by removing hosts or services, and/or by disabling audit enabled flags in hosts.
10.1
2019-11-13
PrivX 10.1 is an incremental upgrade over the 10.0 release, introducing fixes to cloud-host management.
Important upgrade notes
If you have a GCP directory with deleted instances in PrivX before upgrading to 10.1, the deleted instances will remain in hosts list after upgrade. To get rid of the deleted instances you need to either:
Delete the obsolete hosts using Settings→Hosts page in PrivX GUI
or
Delete and re-create the GCP directory
Notable Bug fixes and improvements
- [PX-2261] Host-deployment fails if host-deployment script is run after host scan.
- [PX-2262] Host deletions on Google Cloud are not updated to PrivX host list.
- [PX-2287] Host scanning does not handle the case where number of hosts in a region drops to zero.
Known issues in this release
- [PX-652] User search not using mapped attributes
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1805] The first web connection after installation always fails
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information
- [PX-2309] RDP smart card login fails sometimes when target host service options are disabled
Workaround: Enabling file transfer and/or auditing for the target host.
10.0
2019-10-31
PrivX 10 introduces an agentless way to connect with native SSH clients and allows greater control over host connection allowed features.
New features
- PKCE Support for OIDC directories
- Native-client use via SSH Bastion
- Control which SSH and RDP channels are allowed for host connections
NOTE: The RDP Allowed Account Service Options are not yet enforced in native-client RDP connections in PrivX 10.
Notable Bug fixes and improvements
- [PX-2059] Trail transcript reverse search is slow on EFS
- [PX-2068] Event is not created when opening transcript
- [PX-2080] Failing SFTP channel will close terminal channel as well
- [PX-2109] Carrier, Web Proxy and Extender start too soon
- [PX-2165] Connection manager library does not handle message read timeouts correctly
- [PX-2171] Fixed web-access vulnerability
- [PX-2212] Web Proxy now enforces TLSv1.2. Connecting to targets using TLSv1.1 and earlier now fail with 'Handshake with SSL Server failed'.
- [PX-2215] Blank page when clicking datepicker
- [PX-2226] In some situations SSH operation fails
- [PX-2236] Sometimes postinstall.sh fails with Nginx binding error
Known issues in this release
- [PX-652] User search not using mapped attributes
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1805] The first web connection after installation always fails
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information