HomeDocumentationAPI Reference
Log In
These docs are for v28. Click to read the latest docs for v33.

Release Notes for This Release

Suggest Edits

28.1

2023-03-17

PrivX 28.1 is an incremental release on top of 28.0 with bug fixes and security update

  • [PX-5830] Incorrect data version number in monitor-service.toml
  • [PX-5825] Incorrect data version number in role-store.toml
  • [PX-5808] Microservices may crash at start due to cached sessions in Redis
  • [PX-5801] Update to golang.org/x/net package to version 0.8

28.0

2023-03-01

Important Notes for This Release

Azure-Directory Migration to MS Graph

If you have set up Azure user/host directories using Azure AD Graph API, such directories will be automatically migrated to using MS Graph API when you upgrade to PrivX 28. After upgrade, you will still need to manually set the the following API permissions for the PrivX app in Azure Portal:

Microsoft Graph→Application Permissions

  • User.Read.All
  • Groups.Read.All

Azure AD Graph API shall be deprecated in June 2023.

For more information about setting up Azure directories with MS Graph, see Azure AD as a User Directory via Microsoft Graph API.

PrivX-Carrier rpm package no longer includes the default carrier container

Instead, it downloads the container from Internet. After upgrade, make sure to re-download your carrier-config.toml via PrivX UI and verify which browser container version you wish to use.
See documentation for more details

Deprecation Warnings

PostgreSQL 9.x and 10.x Support Ending

PostgreSQL 9.x and 10.x have reached end of life since 2021 and 2022 respectively and support for these database versions will be dropped in a future PrivX release.

SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Supported releases and upgrade path

After this release, we produce security and stability fixes for PrivX 28.x, 27.x, and 26.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Upgrading to this version is supported from three previous major versions (27.x, 26.x, 25.x). For more information about upgrading from older versions, see Upgrade from Older Releases.

New Features

  • [PX-4308] Improve audit-event-search performance with trigram indexing.
  • [PX-5584] Validate winrm certificate in password rotation service

Improvements

  • [PX-3574] Principal keys of roles are not generated during role creation, but on demand
  • [PX-4376] Audit events are generated for housekeeping actions
  • [PX-4825] MFA reset/init should generate an audit event
  • [PX-4993] Service health check also detects protocol version and latency
  • [PX-5114] Allowed IP addresses for authorized key increased from 16 to 256
  • [PX-5168] Allow less strict target url checking for web connections
  • [PX-5208] Role drop down list shows more than 100 results
  • [PX-5212] New host tag "privx-ssh-certificate-template" for configuring certificate templates
  • [PX-5367] Add logging of kex methods to hybrid kex handlers
  • [PX-5372] Carrier browser is not shipped in PrivX-Carrier rpm packages
  • [PX-5462] Post install script checks for postgresql before prompting local vs external DB.
  • [PX-5486] Rewrite role-store azure cloud module to use new SDK version
  • [PX-5516] Move deleted "role ID to name mappings" to role-store
  • [PX-5522] connection-manager DB queries optimization on UEBA status check
  • [PX-5528] Button to disable UEBA configuration
  • [PX-5549] Link to session-specific audit events directly from the monitor / sessions view
  • [PX-5637] UI: remove "JSON" from setting titles
  • [PX-5684] Add "Windows"-key into Send Keys
  • [PX-5685] License check relaxed to improve SCIM sync performance
  • [PX-5692] Relax nginx proxy_read_timeout for audit event search and connection search endpoints
  • [PX-5704] UI text refresh by dropping all-caps styles to improve the readability

Bug fixes

  • [PX-4824] Possible to supply invalid id of access group through API
  • [PX-5066] network target search api endpoint doesn't work with api client
  • [PX-5289] Wrong response code when creating host with duplicate 'instance id'
  • [PX-5391] UEBA: Cannot delete model if server is misconfigured
  • [PX-5429] Access group admin cannot accept host key
  • [PX-5514] audit event does not have the MODIFICATIONS property for webauthn credential
  • [PX-5575] Monitoring status page components disappear after disconnect
  • [PX-5588] Improve error message for session cache size
  • [PX-5593] WebAuthn: cancel of adding of passkey considered as error
  • [PX-5596] Services health check status does not get updated outside health check scans
  • [PX-5608] Settings endpoint PUT fails with HTTP 400
  • [PX-5623] carrier: return proper error when resolveContainerPort() fails
  • [PX-5639] Microsoft Graph role store user provider does not return all users
  • [PX-5649] OIDC login fails if jwks_uri contains keys that go-jose can't handle
  • [PX-5667] Connection attempt to host with empty data causes RDP Proxy panics
  • [PX-5668] Host search not finding any matches searching by service address
  • [PX-5677] Host keyword search should not target json data
  • [PX-5682] Cannot delete secret with special characters in name
  • [PX-5696] postinstall may fail to start nginx
  • [PX-5730] Odd behavior when editing script templates
  • [PX-5731] Panic in extender service after restart attempt
  • [PX-5762] ssh-mitm: SFTP ICAP scan for uploaded files leaves the connection specific empty scan directory behind
  • [PX-5770] Housekeeping task may remove trails unintentionally

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:
 
      # scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
  • [PX-4215] Successful OIDC login might generate too long auth code as query parameter causes access-token fetching to fail (there's a workaround in Nginx config since PrivX 27.0)
  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
  • [PX-4352] UI shows deleted local user after delete
  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4650] Setting ​access_token_valid to "1m" kicks the user out to the login page
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
  • [PX-4689] PrivX Linux Agent leaving folders in /tmp
  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
  • [PX-5394] SSH cert auth conn fail after rotating PrivX CA Key
  • [PX-5558] Privx does not support password change required option for user in auth flow via webauthn.
  • [PX-5798] Typing becomes slower while mouse is hovering over clickable link in web client
    • Workaround: In an open connection, click Settings, then under Advanced, disable Clickable Links.
  • [PX-5760] RDP Proxy fails to start.

📘

Note

Chromium password manager not yet supported for Chromium containers.

Updated about 1 year ago