Release Notes 20.x - 29.x
29.1
2023-07-20
PrivX 29.1 is an incremental release on top of PrivX 29.0. This release contains a few important bug fixes*
- [PX-6087] rdp-proxy can crash with an runtime error
- [PX-6076] privx-carrier status update causes slow memory leak
- [PX-5957] Installing PrivX 29 breaks dnf in Amazon Linux 2023
- [PX-6140] Devtools and popups are not working in v29.0 carrier browser images
29.0
2023-05-04
Important Notes for This Release
Azure-Directory Migration to MS Graph
If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to this release. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:
Microsoft GraphโApplication Permissions
- User.Read.All
- Groups.Read.All
Azure AD Graph API shall be deprecated in June 2023.
For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.
Web Proxy no longer uses Squid
Since PrivX 29, PrivX Web Proxy no longer uses Squid for proxying HTTPS traffic. Proxying features have now been implemented in PrivX Web Proxy binary. All Squid dependencies have been removed from RPM package.
If you still need Squid specific features for some reason, the latest PrivX core package is backwards compatible with earlier Carrier and Web Proxy components.
After upgrading PrivX core, Carrier, and Web Proxy to version 29, you need to re-download web-proxy-config.toml file via PrivX UI and replace your old config.
Required actions to optimize PrivX performance
As part of our ongoing effort to optimize PrivX performance, we have introduced additional indexing support from PrivX 28. Some improvement requires pg_trgm
extension to PrivX database. Please read Improve Performance with Indexing before upgrade.
Routing prefix name does not allow mixed cases
PrivX web gateways and extenders can be grouped under same routing prefix to achieve high-availability. Routing prefix name used be treated as case sensitive, but name in connection target is treated as case-insenstive by ssh native client. To avoid potential configuration error, only lowercase letters and numbers are allowed in routing prefix names.
Deprecation Warnings
Redis Support Ending
We recommend you to use PostgreSQL PrivX inter microservice notifications. Please change notification mechanism to PostgreSQL if your PrivX still uses Redis for notifications. Redis support will be ended in future releases
PostgreSQL 9.x and 10.x Support Ending
PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions will be dropped in a future PrivX release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 29.x, 28.x, and 27.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (28.x, 27.x, 26.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New Features
- [PX-3319] Enable Web Connections to be routed through extenders
This feature allows PrivX Web Proxy to route web traffic to different networks via Extenders. - [PX-4316] "Secret" tab can be disabled by customer
- [PX-4815] PrivX login form is collapsible
- [PX-5661] Extender can connect to multiple PrivX URLs.
- [PX-5674] PrivX web client connections support new keyboard layouts for Portuguese, Dutch and Romanian. Also see Tips to set correct keyboard layout
- [PX-3249] admin-tool to reset context limitation of roles and local user password
- [PX-5734] Visual editor for json settings in UI
Improvements
- [PX-5792] Possible to use existing database and database user in Kubernetes deployment
- [PX-5679] Carrier container performance improvement by replacing
lsof
withss
command in exit.sh script - [PX-5741] Support multiple PrivX FQDNS in Kubernetes deployment
- [PX-5338] SSH Bastion interactive mode performance improvement when host list is very long
- [PX-5320] Support tags to network target
- [PX-5781] Indexing to connection table for performance improvement
- [PX-5496] Troubleshooting scripts support more options
Bug fixes
- [PX-4438] File uploads might fail in web target connections
- [PX-5237] PrivX core/Extender/Web-Proxy rpms should not depend on firewalld
- [PX-5671] Deploying new carrier/web-proxy on existing carrier/web-proxy host fails because of invalid certificate
- [PX-5726] Refreshing single MS Graph user does not obey group filters
- [PX-5790] Carrier should fall back to default Firefox image if container name is not defined
- [PX-5805] After selecting role, it is not possible to select a membership while creating a request for a role
- [PX-5815] Typo on the AdministrationโDeployment page
- [PX-5822] SCIM directory
eq
filter not working properly - [PX-5825] Incorrect version number in role-store.toml
- [PX-5830] Incorrect version number in monitor-service.toml
- [PX-5879] The path property for personal secrets API has a leading space
- [PX-5883] Web host is resolved incorrectly, if there's duplicate url on different hosts
- [PX-5885]
Graph API and GSuite user directories do not recover from network errors - [PX-5891] Vulnerable docker lib used in extender
- [PX-5761] workflow request for a deleted role should not be possible
- [PX-5878] Extender routing prefix validation is not done properly. This disallows using other than lower case letters and numbers.
Known Issues
- When upgrading PrivX Web Proxy to v29, make sure to stop Squid service first. In some cases, the discontinued Squid process won't get killed on the upgrade but needs to be stopped manually.
- [PX-6014]
Downloaded extender-config.toml is missing "privx_extender_service_enabled = true" setting. Admin should add that after downloading the config file. - [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail (there's a workaround in Nginx config since PrivX 27.0)
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting โaccess_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
- [PX-5558] Privx does not support password change required option for user in auth flow via webauthn.
- [PX-5760] RDP Proxy fails to start.
- [PX-5798] Typing becomes slower while mouse is hovering over clickable link in web client
- Workaround: In an open connection, click Settings, then under Advanced, disable Clickable Links.
28.1
2023-03-17
PrivX 28.1 is an incremental release on top of 28.0 with bug fixes and security update
- [PX-5830] Incorrect data version number in monitor-service.toml
- [PX-5825] Incorrect data version number in role-store.toml
- [PX-5808] Microservices may crash at start due to cached sessions in Redis
- [PX-5801] Update to golang.org/x/net package to version 0.8
28.0
2023-03-01
Important Notes for This Release
Azure-Directory Migration to MS Graph
If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to PrivX 28. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:
Microsoft GraphโApplication Permissions
- User.Read.All
- Groups.Read.All
Azure AD Graph API shall be deprecated in June 2023.
For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.
PrivX-Carrier rpm package no longer includes the default carrier container
Instead, it downloads the container from Internet. After upgrade, make sure to re-download your carrier-config.toml via PrivX UI and verify which browser container version you wish to use.
See documentation for more details
Deprecation Warnings
PostgreSQL 9.x and 10.x Support Ending
PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions will be dropped in a future PrivX release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 28.x, 27.x, and 26.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (27.x, 26.x, 25.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New Features
- [PX-4308] Improve audit-event-search performance with trigram indexing.
- If upgrading from an earlier PrivX version, you must enable this manually as described in Audit-Event Indexing for Faster Searches.
- [PX-5584] Validate winrm certificate in password rotation service
Improvements
- [PX-3574] Principal keys of roles are not generated during role creation, but on demand
- [PX-4376] Audit events are generated for housekeeping actions
- [PX-4825] MFA reset/init should generate an audit event
- [PX-4993] Service health check also detects protocol version and latency
- [PX-5114] Allowed IP addresses for authorized key increased from 16 to 256
- [PX-5168] Allow less strict target url checking for web connections
- [PX-5208] Role drop down list shows more than 100 results
- [PX-5212] New host tag "privx-ssh-certificate-template" for configuring certificate templates
- [PX-5367] Add logging of kex methods to hybrid kex handlers
- [PX-5372] Carrier browser is not shipped in PrivX-Carrier rpm packages
- [PX-5462] Post install script checks for postgresql before prompting local vs external DB.
- [PX-5486] Rewrite role-store azure cloud module to use new SDK version
- [PX-5516] Move deleted "role ID to name mappings" to role-store
- [PX-5522] connection-manager DB queries optimization on UEBA status check
- [PX-5528] Button to disable UEBA configuration
- [PX-5549] Link to session-specific audit events directly from the monitor / sessions view
- [PX-5637] UI: remove "JSON" from setting titles
- [PX-5684] Add "Windows"-key into Send Keys
- [PX-5685] License check relaxed to improve SCIM sync performance
- [PX-5692] Relax nginx proxy_read_timeout for audit event search and connection search endpoints
- [PX-5704] UI text refresh by dropping all-caps styles to improve the readability
Bug fixes
- [PX-4824] Possible to supply invalid id of access group through API
- [PX-5066] network target search api endpoint doesn't work with api client
- [PX-5289] Wrong response code when creating host with duplicate 'instance id'
- [PX-5391] UEBA: Cannot delete model if server is misconfigured
- [PX-5429] Access group admin cannot accept host key
- [PX-5514] audit event does not have the MODIFICATIONS property for webauthn credential
- [PX-5575] Monitoring status page components disappear after disconnect
- [PX-5588] Improve error message for session cache size
- [PX-5593] WebAuthn: cancel of adding of passkey considered as error
- [PX-5596] Services health check status does not get updated outside health check scans
- [PX-5608] Settings endpoint PUT fails with HTTP 400
- [PX-5623] carrier: return proper error when resolveContainerPort() fails
- [PX-5639] Microsoft Graph role store user provider does not return all users
- [PX-5649] OIDC login fails if jwks_uri contains keys that go-jose can't handle
- [PX-5667] Connection attempt to host with empty data causes RDP Proxy panics
- [PX-5668] Host search not finding any matches searching by service address
- [PX-5677] Host keyword search should not target json data
- [PX-5682] Cannot delete secret with special characters in name
- [PX-5696] postinstall may fail to start nginx
- [PX-5730] Odd behavior when editing script templates
- [PX-5731] Panic in extender service after restart attempt
- [PX-5762] ssh-mitm: SFTP ICAP scan for uploaded files leaves the connection specific empty scan directory behind
- [PX-5770] Housekeeping task may remove trails unintentionally
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail (there's a workaround in Nginx config since PrivX 27.0)
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting โaccess_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
- [PX-5558] Privx does not support password change required option for user in auth flow via webauthn.
- [PX-5798] Typing becomes slower while mouse is hovering over clickable link in web client
- Workaround: In an open connection, click Settings, then under Advanced, disable Clickable Links.
- [PX-5760] RDP Proxy fails to start.
๐ Note
Chromium password manager not yet supported for Chromium containers.
27.1
2023-03-10
PrivX 27.1 is an incremental release on top of 27.0 with critical bug fixes and security updates
- [PX-5808] Microservices may crash at start due to cached sessions in Redis
- [PX-5770] Housekeeping task may remove trails unintentionally
- [PX-5701] Update to golang 1.19.6
- [PX-5673] Update to openssl 1.1.1t
27.0
2023-01-02
Deprecation Warnings
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 27.x, 26.x, and 25.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (26.x, 25.x, 24.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New features
- [PX-1159] View active user sessions.
- [PX-2207] Color heading and watermark in connections
- [PX-2345] Login to PrivX with Passkey.
- [PX-5493] Single sign-on support for web UI.
- [PX-4856] Live monitor on RDP/Web/VNC connections.
- [PX-5449] New exclusion list setting allows filtering audit events that are written to database.
- [PX-5450] Separate retention period for transferred files in recorded sessions.
- [PX-5311] shift-jis encoding support in connection and session playback.
Improvements and bug fixes
- [PX-5067] privx-on-aws updated to support AWS CDK v2
- [PX-5382] OIDC redirect URL glob support to allow wildcards
- [PX-5468] External token provider page title change
- [PX-5502] Make SCIM MaxResults configurable
- [PX-5507] Send key combination Ctrl-Esc in RDP/VNC session
- [PX-5434] PrivX Go/Python SDKs to include IDP and UEBA endpoints
- [PX-5523] privx-cli new commands to invoke new IDP and UEBA endpoints
- [PX-4467] Settings PUT endpoint allows incorrect values for hostkey_algorithms
- [PX-5411] WEB-PROXY: wrong version number in status information
- [PX-5560] RDP-proxy ICAP file scanning regression fixed
- [PX-5479] Connection manager performance improvements
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting โaccess_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
- [PX-5558] Privx does not support password change required option for user in auth flow via webauthn.
- [PX-5593] Cancel of adding of passkey gives an error
- [PX-5608] UI shows an error even connection succeeds
- [PX-5760] RDP Proxy fails to start.
๐ Note
Chromium password manager not yet supported for Chromium containers.
26.2
2023-03-10
PrivX 26.2 is an incremental release on top of 26.0 with critical bug fixes and security updates
- [PX-5808] Microservices may crash at start due to cached sessions in Redis
- [PX-5770] Housekeeping task may remove trails unintentionally
- [PX-5701] Update to golang 1.19.6
- [PX-5673] Update to openssl 1.1.1t
26.0
2022-11-02
Deprecation Warnings
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 26.x, 25.x, and 24.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (25.x, 24.x, 23.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New features
- [PX-2580] Support for PrivX as OIDC Identity Provider
- [PX-4762] Support for Post-Quantum-Cryptography algorithms.
- New PQC KEX algorithms: ecdh-nistp521-kyber1024-sha512@ssh.com,curve25519-frodokem1344-sha512@ssh.com, sntrup761x25519-sha512@openssh.com
- Note: PQC algorithms are not mentioned in
ssh-algorithms.toml
. For correct lists of default algorithms, see Supported SSH Algorithms.
- [PX-3991] Monitor ongoing SSH connections in real-time
- [PX-3042] Additional container support for Web carrier: Firefox, Firefox Lite, Chromium Lite.
- Note: Password manager is not yet supported for Chromium containers.
- [PX-5011] User and Entity Behavioural Analytics: automatically audit and block potentially suspicious SSH and RDP connections based on connection data from your network environment.
- [PX-5286] Hostname as parameter to password-rotation scripts
- [PX-4100] Utility for cleaning up old daily backups
Improvements
- [PX-5132] Document missing permissions in public docs
- PX-5083] Validate user settings
- [PX-5064] Unified naming conventions for binaries and configuration files.
- [PX-5012] Optimization on setting roles of logged in users
- [PX-5008] Add new Cert API Endpoints to the Golang SDK
- [PX-5007] Add new Identity Provider API Endpoints to the Golang SDK
- [PX-5006] Add missing Network Access Manager API Endpoints to Golang SDK
- [PX-4619] postinstall.sh writes timestamp and PrivX version when starting install or upgrade
- [PX-3762] Deployment script supports AWS instance metadata version 2
- [PX-4772] PrivX deployment on Kubernetes 1.24 is supported
Bug fixes
- [PX-5398] Session playback may cause high CPU usage
- [PX-5395] RDP-PROXY: can not create subdirectory in Files tab
- [PX-5342] MS Graph: number of users is incorrect with applied group names
- [PX-5318] In Kubernetes deployment context-based role restriction on time may not work correctly
- [PX-5316] Upgrading PrivX-Kube breaks AWS directory as ACCESS KEY ID is changed
- [PX-5297] API search function should accept empty POST body
- [PX-5275] Audit events search returns wrong count
- [PX-5272] monitor-service should not return component's hostname in status query
- [PX-5261] Workflow requests API call returns 0 count
- [PX-5240] Host search returns zero items
- [PX-5219] Microservices may fail to contact syslog after server reboot
- [PX-5207] Host tag comparison works only with lower case tags
- [PX-5214] Restricted shell does not requires all sub commands to match patterns from the same whitelist object
- [PX-5201] Restricted shell does not handle linefeed character correctly in terminal emulator
- [PX-5186] SSH command restrictions whitelist patterns cannot be easily used to block input/output redirection
- [PX-5181] Host-removed audit event has incorrect accessGroupID field
- [PX-5173] OIDC user's roles do not reflect OIDC server side changes during PrivX access token refresh
- [PX-5172] User may be incorrectly kicked out during token refresh if using multiple tabs in web UI
- [PX-5170] Secrets vault search may fail with filter + keyword combination
- [PX-5164] SSH session playback may stop after a short while due to wrong connection id is checked
- [PX-5119] host-store and role-store error messages updated
- [PX-5093] Secret vault UI doesn't show deleted roles nicely
- [PX-5058] troubleshoot.sh doesn't collect postgresql-*.log from /var/lib/pgsql/data/log folder on Rocky Linux 8
- [PX-5000] Golang SDK query parameters missing for SearchUsers request
- [PX-4944] SCIM push may create duplicate roles
- [PX-4862] Host health checks do not allow instance specific filtering
- [PX-4845] UI: Script template compiled script should not highlight normal text
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
- [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting โaccess_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5432] Publickey login to SSH bastion using RSA authorized keys fails when using openssh-8.8 or later
- Workaround: Use other key types than RSA, or enable ssh-rsa signature type for publickey authentication:
# ssh -o "PubkeyAcceptedAlgorithms +ssh-rsa" ...
- Workaround: Use other key types than RSA, or enable ssh-rsa signature type for publickey authentication:
- [PX-5760] RDP Proxy fails to start.
25.0
2022-08-30
Deprecation Warnings
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 25.x, 24.x, and 23.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (24.x, 23.x, 22.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
See updated installation instructions
New features
- [PX-2879] SSH command restrictions.
- Restrict the commands that can be run by users on SSH target accounts.
- Restrictions may be customised per role.
Improvements
- [PX-5006] New API endpoints (cert, identity provider, and network access manager) supported by PrivX Go SDK
- [PX-4913] Housekeeping task to remove old certificates from database
- [PX-4870] Deployment script to support adding host tags
- [PX-4768] Authentication certificate signature logged to Audit Event [401]
- [PX-4685] Support Amazon Linux 2022 as PrivX installation server
- [PX-4628] Show host name in PrivX ssh bastion interactive connection list
- [PX-4583] Housekeeping task to remove the empty trail folders
- [PX-4453] /var/log/privx/guacd.log is less verbose
- [PX-4405] Make CA key expiration time known to admins
- [PX-4380] Show warning if database or target host clocks are not in sync
- [PX-4191] Kubernetes PrivX container images cleanup
- [PX-4907] REST clients should fetch objects in batches of 1000 objects, where applicable
- [PX-4862] New property in shared-config.toml allows skipping health check of hosts with host tags
- [PX-5054] Support for ClearSwift ICAP gateway scan messages
- [PX-5180] postinstall.sh to support
generic-pkcs11
params for non-interactive mode
Bug fixes
- [PX-4560] Deleted roles are displayed as "Untitled" in UI
- [PX-5128] Explicit members are not counted at all when showing role member counts
- [PX-5124] API allows to create host without role id
- [PX-5068] Incorrect error field contents in audit events when ssh-mitm sftp upload is blocked by ICAP
- [PX-5065] postinstall.sh fails without firewalld configuration commands
- [PX-5059] Network target's disabled property is not handled properly
- [PX-5056] Deployment script adds host to PrivX with role 'Untitled'
- [PX-5055] AD directory status not updated, if bind password is incorrect
- [PX-5026] PrivX 24 Kubernetes migration script doesn't have custom syslog configuration
- [PX-5012] Connection more likely to fail for user who has many roles
- [PX-5003] Hosts are incorrectly disabled when license update fails
- [PX-4979] Carrier web urls break if using '&' characters in urls
- [PX-4933] ssh-proxy: client IP address is not conveyed to authorizer in the REST API requests
- [PX-4922] Audit log gets spammed if no connection to directory
- [PX-4681] Deployment script gives unclear error message when deploying a host that already exists
- [PX-4606] PrivX Server ports not opened if firewalld default zone isn't named public
- [PX-4602] PrivX as ssh client doesn't send ECDH algorithms in correct order
- [PX-4441] PrivX logs do not show the correct error when deployment script fails to modify /etc/sshd_config
- [PX-4338] PrivX does not work nicely with OpenSSH MaxSessions 1
- [PX-4334] Vault API query returns wrong count in case of offset larger than total items count
- [PX-4952] User-logged-in audit event when using external JWT token exchange should show identity provider name
- [PX-4932] remoteAddress in user store's audit event is 127.0.0.1 which is incorrect
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
- [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting โaccess_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
- [PX-5186] SSH command restrictions whitelist patterns cannot be easily used to block input/output redirection
- Workaround: Avoid wildcard patterns when possible
24.0
2022-06-27
Important Notes
End of life for Legacy Certificates
PrivX 22 and later will no longer support workaround for legacy X.509 certificates that do not contain server FQDN in Subject-Alt-Name extension field. Please upgrade your server certificates to include SAN extension before upgrading to PrivX 22 or later releases.
Deprecation Warnings
CentOS 8 is no longer supported
PrivX does not support CentOS 8 release because CentOS 8 reached end of life during December 2021. From PrivX 21, Rocky Linux 8 is supported. You may Migrate to Rocky Linux.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 24.x, 23.x, and 22.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (23.x, 22.x, 21.x). For more information about upgrading from older versions, see Upgrade from Older Releases.
New features
- [PX-3980] Real-Time Auditing SSH Connections
- [PX-4044] Login to PrivX with JWT token from trusted token provider
- [PX-4831] MonitoringโCertificates displays certificates configured in PrivX
- [PX-4189] SCIM directory supports user import filter
- [PX-4419] ICAP antivirus check for file transfers using SFTP
- [PX-4298] Firefox browser in web carrier allows popups
Improvements
- [PX-4917] PrivX Router supports multiple RAC_IP_POOL / RAC_IP6_POOL in setup.sh
- [PX-4942] Upgrade Go versions to the 1.17.11
- [PX-4906] PrivX ICAP antivirus support WithSecure Atlant and Clearswift Secure ICAP Gateway
- [PX-4901] Request/Approval view supports more search filters
- [PX-4897] Guacamole log level aligned to RDP_PROXY_LOG_LEVEL in
/opt/privx/scripts/local-env
- [PX-4813] Support OIDC v2.0 issuer urls with Azure
- [PX-4752] Network target client ping to detect disconnects
- [PX-4719] initial_install.sh prompt user for number of trusted load balancers
- [PX-4702] MonitoringโStatus component auto-collapse when no errors
- [PX-4489] Option
--delegated-principals-all
support by deployment script - [PX-4392] Set screen resolution in RDP-PROXY session
- [PX-4252] OIDC settings in SCIM directory is optional
Bug fixes
- [PX-5001] Privx ICAP does not scan the tmp folder for ssh-proxy and ssh-mitm in kubernetes env
- [PX-4988] API documentation fix for /authorizer/api/v1/ca/authorize
- [PX-4968] Deleting AWS directory does not delete aws roles from db
- [PX-4929] Workflowengine.log missing after installation
- [PX-4881] Workflows page in PrivX UI does not handle more than 50 workflows
- [PX-4842] Inaccurate error message when deleting password rotation script/policy which is in use
- [PX-4774] RDP smartcard deployment instruction on PrivX UI doesn't mention NLA
- [PX-4727] Possible to bypass domain restrictions on web targets by editing URL in URL bar
- [PX-4699] POST /authorizer/api/v1/ca/authorize returning OpenSSH certificates in incompatible format
- [PX-4239] Instruction fixes Deployment page for manual ssh host configuration
Known Issues
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
- Workaround: To correct SELinux context, copy the
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-2947] No sound when viewing recorded rdp-mitm connection.
- [PX-3086] PrivX role mapping to AD OU not working as expected.
- [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
- [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
- [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
- [PX-4352] UI shows deleted local user after delete
- [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
- [PX-4650] Setting โaccess_token_valid to "1m" kicks the user out to the login page
- [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
- [PX-4689] PrivX Linux Agent leaving folders in /tmp
- [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
23.1
2022-04-19
PrivX 23.1 is an incremental release on top of PrivX 23.0 with golang security update.
- [PX-4861] Update golang to 1.17.9
23.0
2022-04-07
Important Notes
End of life for Legacy Certificates
PrivX 22 and later will no longer support workaround for legacy X.509 certificates that do not contain server FQDN in Subject-Alt-Name extension field. Please upgrade your server certificates to include SAN extension before upgrading to PrivX 22 or later releases.
Deprecation Warnings
CentOS 8 is no longer supported
PrivX does not support CentOS 8 release because CentOS 8 reached end of life during December 2021. From PrivX 21, Rocky Linux 8 is supported.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 23.x, 22.x and 21.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (22.x, 21.x, 20.x). If you are planning to upgrade from an older version, please contact support.
New features
- [PX-4124] Network Target Extender Support.
- [PX-4364] Linux and Windows local accounts Password Rotation.
- [PX-3117] Azure AD as a User Directory via Microsoft Graph API.
- Will replace the to-be-deprecated Azure Graph API integration. For instructions about migrating to the newer directory type, also see here.
- [PX-2315] Antivirus scan on file transfers in native scp and ssh-proxy connections.
- [PX-4693] Host-deployment script supports MacOS, FreeBSD, Arch Linux, Gentoo Linux.
- [PX-4383] MonitoringโStatus pages displays more details about PrivX services and components.
Improvements
- [PX-4512] PrivX to support PostgreSQL 14
- [PX-4539] Remote desktop wallpaper supported for RDP-PROXY connections
- [PX-4677] Support socket activated sshd with deploy.py script
- [PX-4653] Upgrade and update dependencies for RDP Bastion
- [PX-4633] Update Squid version to 5.3
- [PX-4632] Update OpenSSL version to 1.1.1n
- [PX-4532] Windows application restriction UI and text alignment
- [PX-4297] Guacamole version 1.4 and FreeRDP version 2.5.0 upgrade
- [PX-4252] OIDC settings in SCIM directory should be optional
- [PX-4608] PrivX test against Solaris 11.4 with SSH-2.0-OpenSSH_7.5
- [PX-4385] Prevent token refresh during PrivX UI restart action
- [PX-4538] Host-deployment script supports custom attribute in account settings
- [PX-4690] Host-deployment script supports setting other certificate templates (GitHub, GitLab, Tectia)
- [PX-4526] When a role request includes multiple steps, email is sent after each step's approval
- [PX-4748] Network access session client UI should indicate when it has lost connectivity to PrivX
- [PX-4648] File transfer landing page is greyed out when user has only "File Transfer" option allowed
- [PX-4499] Search and pagination functions added API clients list view
- [PX-4473] Allow Kubernetes containers to be run with custom privx uid/gid
Bug fixes
- [PX-4823] Create AWS directory is broken
- [PX-4723] Extender client version and build number are incorrectly reported on status page
- [PX-4716] Role revoking via workflows not working if "permanent" membership is not ticked
- [PX-4701] Opening additional tabs in PrivX Carrier Firefox crashes the browser
- [PX-4692] Monitor service instance status endpoint always returns HTTP 200
- [PX-4688] Custom attribute value is not used as san-upn in X.509v3 certificate template
- [PX-4678] Deploy script fails on Fedora 35 as 'hostname' command is not available
- [PX-4651] Existing workflows only retain the "Permanent" option after upgrade
- [PX-4629] Username attribute is not editable after save in host configuration
- [PX-4626] RDP Bastion connection times out too quickly when client prompts for user credentials
- [PX-4623] SSH web client newline treatment differs between pasting methods
- [PX-4610] Incorrect host service status in some cases
- [PX-4600] Incorrect file size in audit events
- [PX-4573] PrivX does not recognize OpenLDAP pwdMustChange setting for user
- [PX-4568] User with vault-add can not share personal secret when adding a new secret
- [PX-4559] Sometimes users cannot login if PrivX and database restarted at the same time
- [PX-4510] Deleted users still visible before UI refreshing
- [PX-4492] Not all OIDC user attributes are persisted for HA setup
- [PX-4422] Secret Vault UI fails to load after upgrade to PrivX 21
- [PX-4394] All services do not always start in PrivX Kubernetes environment
- [PX-4264] Incorrect instruction on the extender deployment page
- [PX-4704] Health check should not trigger error message to sshd event logs
Known Issues
[PX-4853] Password rotation scripts on win 2012 does not work
Windows 2012 R2 uses PowerShell 4.0, which is not supported by current password rotation templates.- Workaround: Create password rotation template for Win2012
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] No sound when viewing recorded rdp-mitm connection.
[PX-3086] PrivX role mapping to AD OU not working as expected.
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
[PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
[PX-4352] UI shows deleted local user after delete
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
[PX-4650] Setting access_token_valid to "1m" kicks the user out to the login page
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
[PX-4689] PrivX Linux Agent leaving folders in /tmp
[PX-4752] Web UI may show network target connection live when it's actually dropped
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
[PX-4837] Connections may stop working after password rotation is disabled on the host
Cause: This is due to a bug, that when you leave an account password empty in host configuration, rotated password is not saved for future connection after password rotation flag is disabled on the host.
Workaround: input any string as password to target account even if you aim to rotate password with admin account.
22.3
2022-04-19
PrivX 22.3 is an incremental release on top of PrivX 22.2 with golang security update.
- [PX-4861] Update golang to 1.17.9
22.2
2022-04-07
PrivX 22.2 is an incremental release on top of 22.1 with security update.
- [PX-4632] Update OpenSSL version to 1.1.1n
22.1
2022-02-22
PrivX 22.1 is an incremental release on top of 22.0 with security update and bug fix.
Bug fix and improvement
- [PX-4651] Existing workflows only retain the "Permanent" option after upgrade.
You still need to apply the workaround (see Known Issues section below) if you already upgraded to PrivX 22.0 version. - [PX-4666] golang upgrade to version 1.17.7
22.0
2022-01-31
Important Notes
Old license back end is no longer supported
Communications on Changing to the New License Back End started from PrivX 19 and now the old license back end is no longer available. If you face issues because your PrivX instances are not switched to use the new license back end, please contact support.
Web-Proxy upgrade in offline environments
Web-Proxy upgrade on machines without Internet access may fail due to new dependencies. In such cases, manually install the missing dependencies and try upgrading again.
End of life for Legacy Certificates
PrivX 22 will no longer support workaround for legacy X.509 certificates which do not contain server FQDN in Subject-Alt-Name extension field. Please upgrade your server certificates to include SAN extension before upgrading to PrivX 22.
Existing workflows only retain the "Permanent" option after upgrade
After upgrade to PrivX 22, existing workflows will lose their Restricted and Floating restrictions. You will need to go through each workflow, re-enable desired options, and also re-set max duration values.
This issue will be addressed in the next release.
Deprecation Warnings
CentOS 8 is no longer supported
PrivX does not support CentOS 8 release because CentOS 8 reached end of life during December 2021. From PrivX 21, Rocky Linux 8 is supported. You may Migrate to Rocky Linux.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Azure AD Graph deprecated by June
Microsoft is deprecating Azure AD Graph by June 2022. This also deprecates PrivX-to-Azure integrations via Azure AD Graph. Future PrivX versions will move to support integrations via Microsoft Graph API.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 22.x, 21.x and 20.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (21.x, 20.x, 19.x). If you are planning to upgrade from an older version, please contact support.
New features
- [PX-4113] Support for accessing network targets
- [PX-4418] ICAP antivirus integration for RDP-proxy and WEB file transfers
- [PX-4054] Support non-tunneled VNC connections. Enable this feature under AdministrationโSettingsโGlobalโRDP Common
- [PX-3771] AD/LDAP directory supports Mapping Directory Users to Additional Accounts.
- [PX-3770] PrivX AD/LDAP users can change directory password in PrivX GUI
- [PX-3768] Approvers can revoke the approved roles within the same role request
- [PX-3660] Workflow can limit membership, duration that are available for users to request
- [PX-4268] List views in PrivX UI show the size of the list
- [PX-4199] Display host tags in available Connections
- [PX-4383] PrivX UI shows details of Extender/Carrier/WebProxy under MonitoringโStatus. Remember to upgrade Extender/Carrier/WebProxy
- [PX-4353] Role search API supports filters
- [PX-4310] List all workflow requests as API client
Improvements
- [PX-4550] Remove non-functional options from PrivX Unix Agent help text
- [PX-4513] Support ARM architecture for Extenders
- [PX-4469] Remove watchdog scripts from PrivX components to avoid installation conflicts
- [PX-4461] Option to configure connection message timeout value. Increase the value if connecting to host frequently fails because network latency
- [PX-2919] Show only roles eligible for request to users when requesting
Bug fixes
- [PX-4599] PrivX uses only one Tectia SHA2 algorithm x509v3-sign-rsa-sha512@ssh.com
- [PX-4578] PrivX as client supports only diffie-hellman-group14-sha1 for FFDHE KEX
- [PX-4541] vault-manage permission does not grant right to list secrets
- [PX-4533] Vault REST API allows secret data enumeration when user has admin or vault-manager permissions
- [PX-4505] Owner of personal secret without vault-add can edit read and write roles of a secret
- [PX-4479] License version data might not be up-to-date after PrivX upgrade
- [PX-4443] Notification email is only sent to final approvers when a workflow consists of more than one step
- [PX-4428] Backup does not backup /opt/privx/scripts/local-env file
- [PX-4393] Inconsistency in audit events
- [PX-4388] Non-unique web target fails with error 500
- [PX-4369] Remove "disabled" filter for available hosts
- [PX-4366] Service report "RUNNING" status when they are really cleaning up and about to exit
- [PX-4288] SCIM directory does not return 404 as response for deleting non-existent user
- [PX-4267] Extender fail to reconnect to PrivX
Known Issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
[PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
[PX-4469] - PrivX components status page may show incorrect "Active connections" value
[PX-4629] Username attribute is not editable after save
[PX-4650] Setting access_token_valid to "1m" kicks the user out to the login page
- Workaround: After upgrade, admin must go through each workflow, enable desired options, and also set a max duration value.
21.4
2022-04-07
PrivX 22.2 is an incremental release on top of 22.1 with security update.
- [PX-4632] Update OpenSSL version to 1.1.1n
21.3
2022-02-22
PrivX 21.3 is an incremental release on top of v21.2 with security update
- [4666] Upgrade golang version 1.16.14
21.2
2022-01-31
PrivX 21.2 is an incremental release on top of v21.1 to address security issues.
Improvements
- [PX-4520] golang upgrade
21.1
PrivX 21.1 is an incremental release on top of v21.0 to address a few minor configuration and security issues.
This release includes only new version to PrivX server, and there are no updated versions of PrivX Carrier/WebProxy/Extender components.
Improvements
- [PX-4435] Disable the token fingerprint checking by default
- [PX-4434] golang 1.16.10 upgrade
21.0
Important Notes
Old license back end is no longer supported
A new license back end has been taken into use from PrivX 16, and the old back end will no longer be supported by PrivX 19 and future releases. Read Changing to the New License Back End to check if you need to take any actions. PrivX instances that are still connected to old license back end may stop working after 31.12.2021.
Deprecation Warnings
CentOS 8 is no longer supported from PrivX 21 release
PrivX will not support CentOS 8 from this release because CentOS will reach end of life around December 2021. From PrivX 21, Rocky Linux 8 is supported. You may Migrate to Rocky Linux.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 19:
Install PrivX-21 RPM without automatic postinstall:
# SKIP_POSTINSTALL=1 yum install PrivX-21.0-....
Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
Run postinstall manually:
# /opt/privx/scripts/postinstall.sh
Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and the support will be terminated in PrivX 22 and later.
Supported releases and upgrade path
After this release, we produce security and stability fixes for PrivX 21.x, 20.x and 19.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Upgrading to this version is supported from three previous major versions (20.x, 19.x, 18.x). If you are planning to upgrade from an older version, please contact support.
New features
- [PX-2890] Support for add and sharing personal secrets. Access this feature under Secrets tab
- [PX-1761] Support [file transfer in web-target connections] (doc:connecting-via-the-privx-gui#web-gui-usage)
- [PX-4106] OIDC login with native ssh client on Windows. See [Connecting Directly Using privx-cmd] (doc:ssh-connections-with-native-clients#connecting-directly-using-privx-cmd)
- [PX-3640] PrivX installation support on Rocky Linux 8
Bug fixes
- [PX-3436] Support web connections for vmWare vSphere web logins
- [PX-3634] Issues with web login on HP iLO 5
- [PX-4396] User sometimes gets logged out from PrivX after re-login
- [PX-4163] HA-environment licenses may fail fo refresh
- [PX-4382] UI service restart: sometimes only monitor-service restarted when restarting from UI
- [PX-4357] Vault API: Secret search ignore sortdir parameter
- [PX-4355] Secrets table item roles rendering improvement
- [PX-4348] Statistics enabled for auth and connection-manager despite the license type
- [PX-4341] Requests to /status endpoint in proxies/mitms may cause unnecessary extender / carrier / web-proxy related calls
- [PX-4327] UI: ssh proxy / ssh bastion settings edit views had a wrong mention of "RDP"
- [PX-4306] Focus does not move to password field after entering username in User-Defined SSH connection
- [PX-4303] python-sdk: api.search_requests() makes call to wrong endpoint
- [PX-4292] Websocket concurrent write causes panic
- [PX-4287] Slow audit event loading on connection details page
- [PX-4277] Sftp MKDIR command fails against Tectia Server 6.4.19
- [PX-4276] Remote address is resolved incorrectly for extender and icap websocket connections
- [PX-4270] rdp-mitm pagination: redemption shows duplicated targets for the same machine
- [PX-4262] privx-cmd does incorrectly handles system trusted PrivX server certificates
- [PX-4220] OIDC users do not expire from cache
- [PX-4212] Proxy/mitm services do not start when adding string to 'target blacklist'
- [PX-4205] User-Defined RDP works randomly due to empty password being sent
- [PX-4198] get_authorizer-api-v1-cas -> "public_key_string" has extra blank space at the end
- [PX-4178] 'Certificate is not trusted' prompt is shown again after clicking 'accept & save'
- [PX-4105] Api call "get_role-store-api-v1-users-user-id-resolve" where both explicit and implicit role mapping values are always false
- [PX-4093] "--clean" option fails when running postinstall script on existing PrivX with external DB
- [PX-4086] Editing authorized key dates for not before/after fails
- [PX-4060] License page contains misinformation when file-license in use but file missing
- [PX-3990] Audit events name: inconsistent usage of uppercase and lowercase
- [PX-3932] PrivX backup folder does not include version information
- [PX-3870] RDP-PROXY: File download false EOF failure even when file transfer succeeds
- [PX-3252] Explicit role mappings and user settings are not cleaned after user is deleted
- [PX-2900] Role member list is not updated when deleting local users.
- [PX-1740] User can accidentally restore privx from wrong folder resulting in broken privx
Improvements
- [PX-4349] Document max_instances config variable in extender / carrier / web-proxy toml templates
- [PX-4281] Remove/change misleading comment from PrivX 20 configs
- [PX-4271] Documenting log rotation as part of PrivX installation
- [PX-4261] Remove docker deps from carrier RHEL8 rpm
- [PX-4246] Change bastion connection nomenclature in the UI
- [PX-4216] Update example nginx.conf to work with Client cert auth and OIDC login with native SSH client
- [PX-4202] Status check page /status.html is brought back
- [PX-4151] Device IP is added to refresh and access token to prevent misuse
- [PX-4140] postinstall.sh: scripts should detect if they are run interactively or not
- [PX-4128] Make "credential" secret a default type in PrivX
- [PX-4104] Add "remote address" to event logs
- [PX-3993] Commands enhancement to privx-cli
Known Issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
[PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
[PX-4422] Secret Vault UI fails to load after upgrade to PrivX 21 if secrets were sorted according to some column.
Workaround: Clear your browser cache and reload the page.[PX-4428] Backup does not backup /opt/privx/scripts/local-env file
[PX-4438] Browser file uploads might fail in web container
In web target connection, file upload may get stuck at 100% transferred, then fails.
Workaround: definenobumpSites
in/etc/squid/squid.conf
as follows:acl nobumpSites ssl::server_name .file.io ssl_bump splice nobumpSites
where
file.io
is the example target website.
Then restart squidsystemctl restart squid
NOTE: Apply this workaround with cautions. Login with stored password to configured website will not work after this workaround is applied.
20.1
PrivX 20.1 version addresses some of the issues found in previous versions.
Improvements and bug fixes
- [PX-4295] Smart card authentication does not work. No smart card icon is shown on Windows Server 2016 logon screen
- [PX-4341] Requests to /status endpoint in proxies/mitms may cause unnecessary extender / carrier / web-proxy related calls
- [PX-4349] Document max_instances config variable in extender / carrier / web-proxy toml templates
- [PX-4396] Refresh-verify cookie does not have expire time
20.0
Important Notes
Old license back end is no longer supported
A new license back end has been taken into use from PrivX 16, and the old back end will no longer be supported by PrivX 19 and future releases. Read Changing to the New License Back End to check if you need to take any actions.
Deprecation Warnings
CentOS 8 End of Support Imminent
CentOS 8 support will be terminated once the operating system reaches end of life (around December 2021). PrivX support will continue normally on other supported platforms. Going forward, Rocky Linux will be supported in PrivX 21 and later.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 20:
Install PrivX-20 RPM without automatic postinstall:
# SKIP_POSTINSTALL=1 yum install PrivX-20.0-....
Enable legacy-x509-certificate support:
# echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
Run postinstall manually:
# /opt/privx/scripts/postinstall.sh
Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and the support will be terminated in PrivX 22 and later.
Upgrading to the Latest Version
- Upgrading to this version is supported from three previous major versions (19.x, 18.x, 17.x)
- If you are planning to upgrade from an older version, please contact support.
Supported Releases
We produce security and stability fixes for the three latest major releases (20.x, 19.x, 18.x).
New Features
- [PX-2046] Running PrivX in Kubernetes. This allows container-based deployment for faster (re)deployment and better scaling.
- [PX-3976] Centralised access to all your SSH products.
- [PX-3956] UI options to inverse RDP image scaling, for improved sharpness.
- [PX-3541] OIDC-login support for native SSH clients.
- [PX-2489] Connection search supports new filters "Type" and "Mode"
- [PX-1170] PostgreSQL database as notification back end.
- Improved security over Redis as notification back end, Redis no longer required.
- Recommended in all PrivX deployments with optimal PostgreSQL performance.
Improvements and bug fixes
- [PX-4095] Support for OAuth2 scopes in authorize request
- [PX-4072] The user should see only usable secrets on connection page
- [PX-4182] PrivX HTTP response for SCIM POST for duplicates returns incorrect status code
- [PX-4181] Missing number of hosts on the directories page for SCIM directory
- [PX-4144] RoleContext-role-blocked incorrectly
- [PX-4142] The certificate data given to the RDP client differs in format from that used in host objects
- [PX-4141] connection-manager: disconnected timestamp remains after connection goes from Timeout to Connected status
- [PX-4138] SSH-Bastion: incorrect session added audit event for forwarded-tcpip channels
- [PX-4136] License manager generates no audit events
- [PX-4103] Save button disabled when creating secret
- [PX-4101] AWS NLB health check results into SSH-MITM error log prints
- [PX-4096] "password authentication failed" error seen in postinstall output when PostgreSQL user password contains colon ":"
- [PX-4074] redemption_cert.sh uses wrong openssl command when passphrase-protecting the private key
- [PX-4064] UI: restart dialog does not detect that back end has started after restart
- [PX-4041] SSH-MITM panics if client connection is closed before target connection fails
- [PX-4038] SSH2 public key parsing fails for ssh-keygen-g3 generated keys
- [PX-4037] Host-store not starting when using file_based license without license
- [PX-3966] API reference doc's /authorizer: faulty principal response schema
- [PX-3962] Go language packages upgrades
- [PX-3951] Virtual smartcard allows arbitrary signing operations after RDP smartcard login
- [PX-3943] MFA API enable/disable endpoints fixes
- [PX-3942] GET /role-store/api/v1/users/{user_id}/resolve endpoint - missing information in response
- [PX-3928] API reference doc's/workflow-engine: faulty response in create workflow and request
- [PX-3921] API reference doc's: faulty response object in connection-manager
- [PX-3899] Body parameters are not seen in api/docs but they are required
- [PX-3895] API reference docs for license manager. Response schema object has faulty data types
- [PX-3869] Rolestore API docs: include_deleted does not exist
- [PX-3837] Wrong error message when local user login with incorrect password
- [PX-3692] User store/trusted client's body params are not up to date inside the API reference doc
- [PX-3590] Secret name does not strip white spaces
- [PX-3589] Duplicate name error not visible on Secret creation
- [PX-2864] Old approve role members can still approve workflow requests, even if role has been removed from workflow approvers
Known Issues
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
[PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
[PX-4218] RDP native clients do not work when root permissions have been disabled in Kubernetes environment (default config)