HomeDocumentationAPI Reference
Log In
These docs are for v22. Click to read the latest docs for v33.

Release Notes for This Release

Suggest Edits

22.4

2022-06-28
PrivX 22.4 is an incremental release on top of PrivX 22.3 with golang security update.

  • [PX-4861] Update golang to 1.17.11

22.3

2022-04-19
PrivX 22.3 is an incremental release on top of PrivX 22.2 with golang security update.

  • [PX-4861] Update golang to 1.17.9

22.2

2022-04-07
PrivX 22.2 is an incremental release on top of 22.1 with security update.

  • [PX-4632] Update OpenSSL version to 1.1.1n

22.1

2022-02-22
PrivX 22.1 is an incremental release on top of 22.0 with security update and bug fix.

Bug fix and improvement

  • [PX-4651] Existing workflows only retain the "Permanent" option after upgrade.
    You still need to apply the workaround (see Known Issues section below) if you already upgraded to PrivX 22.0 version.
  • [PX-4666] golang upgrade to version 1.17.7

22.0

2022-01-31

Important Notes

Old license back end is no longer supported
Communications on Changing to the New License Back End started from PrivX 19 and now the old license back end is no longer available. If you face issues because your PrivX instances are not switched to use the new license back end, please contact support.

Web-Proxy upgrade in offline environments
Web-Proxy upgrade on machines without Internet access may fail due to new dependencies. In such cases, manually install the missing dependencies and try upgrading again.

End of life for Legacy Certificates
PrivX 22 will no longer support workaround for legacy X.509 certificates which do not contain server FQDN in Subject-Alt-Name extension field. Please upgrade your server certificates to include SAN extension before upgrading to PrivX 22.

Existing workflows only retain the "Permanent" option after upgrade
After upgrade to PrivX 22, existing workflows will lose their Restricted and Floating restrictions. You will need to go through each workflow, re-enable desired options, and also re-set max duration values.

This issue will be addressed in the next release.

Deprecation Warnings

CentOS 8 is no longer supported
PrivX does not support CentOS 8 release because CentOS 8 reached end of life during December 2021. From PrivX 21, Rocky Linux 8 is supported. You may Migrate to Rocky Linux.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Azure AD Graph deprecated by June
Microsoft is deprecating Azure AD Graph by June 2022. This also deprecates PrivX-to-Azure integrations via Azure AD Graph. Future PrivX versions will move to support integrations via Microsoft Graph API.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 22.x, 21.x and 20.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (21.x, 20.x, 19.x). If you are planning to upgrade from an older version, please contact support.

New features

  • [PX-4113] Support for accessing network targets
  • [PX-4418] ICAP antivirus integration for RDP-proxy and WEB file transfers
  • [PX-4054] Support non-tunneled VNC connections. Enable this feature under Administration→Settings→Global→RDP Common
  • [PX-3771] AD/LDAP directory supports Mapping Directory Users to Additional Accounts.
  • [PX-3770] PrivX AD/LDAP users can change directory password in PrivX GUI
  • [PX-3768] Approvers can revoke the approved roles within the same role request
  • [PX-3660] Workflow can limit membership, duration that are available for users to request
  • [PX-4268] List views in PrivX UI show the size of the list
  • [PX-4199] Display host tags in available Connections
  • [PX-4383] PrivX UI shows details of Extender/Carrier/WebProxy under Monitoring→Status. Remember to upgrade Extender/Carrier/WebProxy
  • [PX-4353] Role search API supports filters
  • [PX-4310] List all workflow requests as API client

Improvements

  • [PX-4550] Remove non-functional options from PrivX Unix Agent help text
  • [PX-4513] Support ARM architecture for Extenders
  • [PX-4469] Remove watchdog scripts from PrivX components to avoid installation conflicts
  • [PX-4461] Option to configure connection message timeout value. Increase the value if connecting to host frequently fails because network latency
  • [PX-2919] Show only roles eligible for request to users when requesting

Bug fixes

  • [PX-4599] PrivX uses only one Tectia SHA2 algorithm [email protected]
  • [PX-4578] PrivX as client supports only diffie-hellman-group14-sha1 for FFDHE KEX
  • [PX-4541] vault-manage permission does not grant right to list secrets
  • [PX-4533] Vault REST API allows secret data enumeration when user has admin or vault-manager permissions
  • [PX-4505] Owner of personal secret without vault-add can edit read and write roles of a secret
  • [PX-4479] License version data might not be up-to-date after PrivX upgrade
  • [PX-4443] Notification email is only sent to final approvers when a workflow consists of more than one step
  • [PX-4428] Backup does not backup /opt/privx/scripts/local-env file
  • [PX-4393] Inconsistency in audit events
  • [PX-4388] Non-unique web target fails with error 500
  • [PX-4369] Remove "disabled" filter for available hosts
  • [PX-4366] Service report "RUNNING" status when they are really cleaning up and about to exit
  • [PX-4288] SCIM directory does not return 404 as response for deleting non-existent user
  • [PX-4267] Extender fail to reconnect to PrivX

Known Issues

  • [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:
 
      # scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

  • [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] - No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] - PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
  • [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4469] - PrivX components status page may show incorrect "Active connections" value
  • [PX-4629] Username attribute is not editable after save
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
    • Workaround: After upgrade, admin must go through each workflow, enable desired options, and also set a max duration value.

Updated almost 2 years ago