26.2

2023-03-10
PrivX 26.2 is an incremental release on top of 26.0 with critical bug fixes and security updates

• [PX-5808] Microservices may crash at start due to cached sessions in Redis
• [PX-5770] Housekeeping task may remove trails unintentionally
• [PX-5701] Update to golang 1.19.6
• [PX-5673] Update to openssl 1.1.1t

26.0

2022-11-02

Deprecation Warnings

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 26.x, 25.x, and 24.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (25.x, 24.x, 23.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

New features

• [PX-2580] Support for PrivX as OIDC Identity Provider
• [PX-4762] Support for Post-Quantum-Cryptography algorithms.
  • New PQC KEX algorithms: [email protected],[email protected], [email protected]
  • Note: PQC algorithms are not mentioned in ssh-algorithms.toml. For correct lists of default algorithms, see Supported SSH Algorithms.
• [PX-3991] Monitor ongoing SSH connections in real-time
• [PX-3042] Additional container support for Web carrier: Firefox, Firefox Lite, Chromium Lite.
  • Note: Password manager is not yet supported for Chromium containers.
• [PX-5011] User and Entity Behavioural Analytics: automatically audit and block potentially suspicious SSH and RDP connections based on connection data from your network environment.
• [PX-5286] Hostname as parameter to password-rotation scripts
• [PX-4100] Utility for cleaning up old daily backups

Improvements

• [PX-5132] Document missing permissions in public docs
• PX-5083] Validate user settings
• [PX-5064] Unified naming conventions for binaries and configuration files.
• [PX-5012] Optimization on setting roles of logged in users
• [PX-5008] Add new Cert API Endpoints to the Golang SDK
• [PX-5007] Add new Identity Provider API Endpoints to the Golang SDK
• [PX-5006] Add missing Network Access Manager API Endpoints to Golang SDK
• [PX-4619] postinstall.sh writes timestamp and PrivX version when starting install or upgrade
• [PX-3762] Deployment script supports AWS instance metadata version 2
• [PX-4772] PrivX deployment on Kubernetes 1.24 is supported

Bug fixes

• [PX-5398] Session playback may cause high CPU usage
• [PX-5395] RDP-PROXY: can not create subdirectory in Files tab
• [PX-5342] MS Graph: number of users is incorrect with applied group names
• [PX-5318] In Kubernetes deployment context-based role restriction on time may not work correctly
• [PX-5316] Upgrading PrivX-Kube breaks AWS directory as ACCESS KEY ID is changed
• [PX-5297] API search function should accept empty POST body
• [PX-5275] Audit events search returns wrong count
• [PX-5272] monitor-service should not return component's hostname in status query
• [PX-5261] Workflow requests API call returns 0 count
• [PX-5240] Host search returns zero items
• [PX-5219] Microservices may fail to contact syslog after server reboot
• [PX-5207] Host tag comparison works only with lower case tags
• [PX-5214] Restricted shell does not requires all sub commands to match patterns from the same whitelist object
• [PX-5201] Restricted shell does not handle linefeed character correctly in terminal emulator
• [PX-5186] SSH command restrictions whitelist patterns cannot be easily used to block input/output redirection
• [PX-5181] Host-removed audit event has incorrect accessGroupID field
• [PX-5173] OIDC user's roles do not reflect OIDC server side changes during PrivX access token refresh
• [PX-5172] User may be incorrectly kicked out during token refresh if using multiple tabs in web UI
• [PX-5170] Secrets vault search may fail with filter + keyword combination
• [PX-5164] SSH session playback may stop after a short while due to wrong connection id is checked
• [PX-5119] host-store and role-store error messages updated
• [PX-5093] Secret vault UI doesn't show deleted roles nicely
• [PX-5058] troubleshoot.sh doesn't collect postgresql-*.log from /var/lib/pgsql/data/log folder on Rocky Linux 8
• [PX-5000] Golang SDK query parameters missing for SearchUsers request
• [PX-4944] SCIM push may create duplicate roles
• [PX-4862] Host health checks do not allow instance specific filtering
• [PX-4845] UI: Script template compiled script should not highlight normal text

Known Issues

• [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
  • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

    Bash

    # scp -i key.pem principals_command.sh user@target:/tmp/
    # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

    

• [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

• [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
• [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

• [PX-2947] No sound when viewing recorded rdp-mitm connection.

• [PX-3086] PrivX role mapping to AD OU not working as expected.

• [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
• [PX-4035] Token refresh does not work and tabs do not share session state on Safari 14.1.1
• [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail
• [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
• [PX-4352] UI shows deleted local user after delete
• [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
  • Workaround: Restart affected Carrier and Web-Proxy services.
• [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
• [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
• [PX-4689] PrivX Linux Agent leaving folders in /tmp
• [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
• [PX-5432] Publickey login to SSH bastion using RSA authorized keys fails when using openssh-8.8 or later
  • Workaround: Use other key types than RSA, or enable ssh-rsa signature type for publickey authentication:
    Bash

    # ssh -o "PubkeyAcceptedAlgorithms +ssh-rsa" ...
    

• [PX-5760] RDP Proxy fails to start.