Release Notes for This Release

38.0

2025-02-27

38.0 is a major release with new features.

After this release, we provide security and stability fixes for PrivX 38.x, 37.x, and 36.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Supported upgrade paths to this release are:

• Upgrade with downtime: 35.x, 36.x, 37.x
• Zero-downtime upgrade: 37.x

Important Notes for This Release

PrivX LTS (long-term support) is available PrivX 36 LTS is available. We are committed to provide 2-year support for each PrivX LTS release. Please do not upgrade to PrivX 38 if you chose the LTS path.

Changes to sshexec and exec router control commands

Network-access manager now sends an extra {session parameters} argument to the control commands of sshexec routers and exec routers.

• For sshexec router, Network-access manager now executes the fixed commands:

  /opt/privx/privx-router/sshexec/add {network parameters} {router parameters} {session parameters} [{static config}]
  /opt/privx/privx-router/sshexec/del {network parameters} {router parameters} {session parameters} [{static config}]

• For exec routers, Network-access manager now executes the fixed commands:

  /opt/privx/privx-router/exec/add {network parameters} {router parameters} {session parameters} [{static config}]
  /opt/privx/privx-router/exec/del {network parameters} {router parameters} {session parameters} [{static config}]

The {session parameters} contains session parameters in JSON format, for example:

{
  "session_id": "f5d747f6-af79-412b-4471-b6f5043c90ce",
  "target_id": "07bee1e7-7061-4a90-4831-f501bcbc778e",
  "target_name": "ot-sshexec-target"
}

This change may break existing sshexec/exec routers that can't accommodate the extra argument. Such scripts/binaries will need to be changed to support the additional argument.

For more information about sshexec/exec routers, see PrivX Router Configuration.

PrivX GUI Supports WCAG Level AA

PrivX GUI has been verified to support Web Content Accessibility Guidelines (WCAG) at level AA, which ensures content accessibility for a wider audience, including operators with disabilities. For more information, see the PrivX Accessibility Conformance Report.

Retaining SID extensions in RDP-certificate authentication

In PrivX 36, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. From PrivX 37 and later, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.

If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade:

Option 1: Configure before upgrade

Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.

1. Gain root terminal access to any PrivX Server, add the following lines right after the AUTHORIZER.logging section in /opt/privx/etc/settings-default-config.toml:

   [AUTHORIZER.ca_settings]
   rdp_x509_include_sid = true

2. Apply the new settings with:

   sudo /opt/privx/bin/settings-tool -command migrate

   RDP-certificate authentication will work as normal throughout the upgrade process.

Option 2: Configure after upgrade

If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.

1. After upgrade, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.

   Save your changes. RDP-certificate authentication should function normally again.

Upgrade not supported with old PostgreSQL versions

You cannot upgrade to PrivX 35, 36, 37, or 38 if your PrivX deployment uses PostgreSQL version 10 or earlier. For successful upgrade, your PrivX Database must run on PostgreSQL 11 or later.

Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.

If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.

Increased upgrade duration

Upgrading to this version from PrivX 35 or older may take somewhat longer, especially in environments with many hosts and principals. The information for connections (disconnected prior to the upgrade) under the Monitoring page might not appear for some time (proportionally longer based on the amount of data).

Deprecation Warnings

Pure whitespace names disallowed

From version 37 and onward PrivX no longer be able to create items whose names consist purely of spaces. Also, you will be unable to update such items until their names are changed to contain some visible character(s).

agent-proxy Deprecation imminent

The agent-proxy functionality will be removed in PrivX versions 39 and later.

The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.

Amazon Linux 2 support Ending

PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.

PostgreSQL 11.x Support Ended

PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version is ended from this release.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1 environment variable for PrivX microservices and tools.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

New Features

• [PX-7013] Support for Oracle Cloud as a Host Directory.
• [PX-7275] Notify all approvers upon role request status change.
• [PX-7077] Support ML-KEM-based PQC algorithms.
• [PX-7103] Logout user from PrivX Web UI after being inactive.
• [PX-7276] Admin can set Justification field mandatory in workflow settings.
• [PX-7296] Support uploading Extender RPMs via the PrivX GUI.
• [PX-7355] network-access-manager: allow admin to add static config data to network targets.
  • NOTE: This feature introduces changes that may break existing sshexec and exec routers, see Changes to sshexec and exec router control commands under Important Notes for This Release.

Bug Fixes

• [PX-7182] RDP Proxy cert login fails to recover after crash showing "No valid certificates were found on this smart card"
• [PX-7186] Role details page might take too long to load if HSM keys are being generated
• [PX-7243] RDP session login screen resizes incorrectly when heading is configured for the host
• [PX-7245] SSH-Proxy not logging ConnectionFailed audit events
• [PX-7249] Target domains: an (Ignored=False) filter returns ignored scanned accounts
• [PX-7251] "Target domains: scanned accounts with a false ""Managed"" status"
• [PX-7257] OIDC users with Administrator permissions cannot see Administration > Workflows pages.
• [PX-7263] UI banner for user license related grace period is not shown
• [PX-7268] Active Directory OIDC login fails if external_id is mapped using one-to-many attribute mapping in PrivX directory settings.
• [PX-7277] Password rotation certificate validation fails with matching access-group certificate if the target host's certificate has a different DNS name than the password rotation address or the target's real certificate
• [PX-7285] settings.toml has invalid data_version
• [PX-7291] Workflow-engine is unresponsive when receiving too many role requests per workflow
• [PX-7336] Carrier container listens to too many network interfaces
• [PX-7353] network-access-manager: disabled network targets are listed as accessible network targets
• [PX-7354] Error Dialog Window stuck unless page is refreshed
• [PX-7371] Carrier and Web-Proxy Version number missing from status page
• [PX-7372] Background migration of connections_old table may get stuck during upgrade from PrivX 35 or 36 to 37.
• [PX-7374] DB Proxy connection in connections table might have zero timestamp if connection failed early
• [PX-7383] Possible race condition in audit event partitions might cause monitor-service to crash when restoring PrivX from backups

Known Issues

• [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI

  • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

    # scp -i key.pem principals_command.sh user@target:/tmp/
    # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

• [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

• [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade

• [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

• [PX-2947] No sound when viewing recorded rdp-mitm connection.

• [PX-3086] PrivX role mapping to AD OU not working as expected.

• [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender

• [PX-3655] remoteApp cannot be restored after it's minimized

• [PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.

• [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account

• [PX-4352] UI shows deleted local user after delete

• [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.

  • Workaround: Restart affected Carrier and Web-Proxy services.

• [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)

• [PX-4689] PrivX Linux Agent leaving folders in /tmp

• [PX-4778] RDP-PROXY: file under scanning can not be overwritten

• [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.

• [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.

• [PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser

• [PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end

• [PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase

• [PX-6464] Secret-manager crash if database doesn't have valid TLS certificate

• [PX-6490] PrivX RDP session screen corrupts in Windows 2008 via Chrome and Edge browsers

• [PX-6636] Web-target vCenter key strokes is not working properly in Bios/Grub menu

• [PX-7393] Role mapping rules: an "Any Rule Matches" group with nested groups causes an error

• [PX-7524] Host search sort does not work

Important API Changes

v38 releases with go sdk v2, introducing numerous enhancements that standardize API behavior across all services, simplify API calls, and streamline query parameter handling. go sdk v2 introduces changes that aren't backwards-compatible: integrations done with v1 may need to be adapted to work correctly with v2.

You can continue using the v1 sdk. However, no further updates are provided for v1. The final PrivX version fully supporting sdk v1 is PrivX 37. While we will address critical bugs or significant API changes that may affect v1, all new features and improvements will only be available in sdk v2.

We strongly encourage users to adopt sdk v2 to take advantage of new features and enhancements.